Episode 526: Brian Campbell on Proof-of-Possession Defenses
source link: https://www.se-radio.net/2022/08/episode-526-brian-campbell-on-proof-of-possession-defenses/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Episode 526: Brian Campbell on Proof-of-Possession Defenses
In this episode, Brian Campbell, Distinguished Engineer at Ping Identity, speaks with SE Radio’s Priyanka Raghaven about cryptographic defenses against stolen tokens, particularly in the context of the OAUTH2 protocol and the type of attacks that can plague it. They discuss the concept of “proof of possession” in protecting against such attacks, and where it is important to have this extra security — in banking applications, for example — despite the additional costs of including it. They then take a deep dive into the OAUTH2 MTLS protocol and its two flavors: self-signed certificates and PKI certificates. They conclude with a discussion of the DPoP (demonstration of proof-of-possession) RFC and its suitability for use in the user interface layer, as well as the future of OAUTH2 including Google’s macaroon tokens.
Related Links
SE Radio theme: “Broken Reality” by Kevin MacLeod (incompetech.com — Licensed under Creative Commons: By Attribution 3.0)
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | RSS
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK