[Openid-specs-ab] Key-binding and dpop scope

[george at practicalidentity.com]

That makes sense to me; including ‘cnf’ in the scope name. Would we ever want to allow the “key binding” mechanism to use something other than DPoP? If so, and the express purpose is to provide key binding for the id_token, then I’d recommend something like ‘id_token_cnf’.  It’s specific, clear and doesn’t preclude methods other than DPoP to provide the necessary data for the cnf claim.

George Fletcher
Identity Standards Architect
Practical Identity LLC



> On Aug 29, 2025, at 11:00 AM, Dick Hardt <dick.hardt at hello.coop> wrote:
> 
> I have no strong views on the scope name. Open to other ideas / suggestions / opinions!
> 
> Perhaps `cnf` to align with the claim? 
> ᐧ
> 
> On Fri, Aug 29, 2025 at 3:57 PM <george at practicalidentity.com <mailto:george at practicalidentity.com>> wrote:
>> Hi, 
>> 
>> Would it make sense to change the scope name identified in the key-binding spec from something specific like ‘dpop’ to something more generic? e.g. ‘id_token_kb’ ? Or maybe just make clearer that the RP is looking for key bound tokens? e.g. ‘dpop_kb’? I just worry that ‘dpop’ by itself does not communicate the intended behavior.
>> 
>> Thoughts?
>> 
>> George Fletcher
>> Identity Standards Architect
>> Practical Identity LLC
>> 
>> 
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250829/de62c6ec/attachment.htm>