A token containing the hash of a public key -- isn't that just a certificate? Why is it better to embed it in a token instead of just issuing the client a certificate? They both provide exactly the same security guarantees, and as you point out the ecosystem support for either is poor, so new development needs to happen either way.
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
Date: 2022-05-18 07:51 pm (UTC)