RFC 8783: Distributed Denial-of-Service Open Threat Signaling (DOTS) Data Channel Specificationfleeting
- External reference: https://www.rfc-editor.org/rfc/rfc8705.html
RFC 8783: Distributed Denial-of-Service Open Threat Signaling (DOTS) Data Channel Specification
Mutual-TLS certificate-bound access tokens ensure that only the party in possession of the private key corresponding to the certificate can utilize the token to access the associated resources. Such a constraint is sometimes referred to as key confirmation, proof-of-possession, or holder-of-key and is unlike the case of the bearer token described in [RFC6750], where any party in possession of the access token can use it to access the associated resources. Binding an access token to the client’s certificate prevents the use of stolen access tokens or replay of access tokens by unauthorized parties.
Mutual-TLS certificate-bound access tokens and mutual-TLS client authentication are distinct mechanisms that are complementary but don’t necessarily need to be deployed or used together.