Keys for DPoP should be attested to be highly secure

[awoie]

Let's make sure that keys we use for DPoP can be directly attested by the key attestation to be protected by the secure key store of the device (e.g. Secure Element, Secure Enclave etc.).

[Sakurann]

let's also make sure it is optimization and not a requirement in client attestation draft.

[tlodderstedt]

Would that be a DPoP extension?

[Sakurann]

Proposal is to use the following structure as a DPoP JWT to attest the keys DPoP is bound to. Should we add this as an optional extension in HAIP?

{
  "typ":"dpop+jwt",
  "alg":"ES256",
  "jwk": {
    "kty":"EC",
    "x":"l8tFrhx-34tV3hRICRDY9zCkDlpBhF42UQUfWVAWBFs",
    "y":"9VE4jf_Ok_o64zbTTlcuNJajHmt6v9TDVrU0CdvGRDA",
    "crv":"P-256"
  }
  **"attestation" : <key attestation JWT>**
}
.
{
  "jti":"-BwC3ESc6acc2lTc",
  "htm":"POST",
  "htu":"https://server.example.com/token",
  "iat":1562262616
}

[paulbastian]

I support this.

[alenhorvat]

What about x5c?