Strengthen DPoP Support in CAMARA ICM Security Profile #318
Description
Problem description
The current CAMARA Identity and Consent Management (ICM) Security Profile lists Demonstration of Proof-of-Possession (DPoP, RFC 9449) as an optional mechanism. However, DPoP by itself does not guarantee request integrity or robust replay prevention.
Limitations of current DPoP usage:
- DPoP binds only the HTTP method and URI, leaving query strings and request bodies unprotected.
- A man-in-the-middle could alter request parameters while maintaining a valid DPoP proof.
- Replay protection through jti is not consistently enforced, leaving APIs open to repeated valid requests.
These gaps pose risks when CAMARA APIs are used in sensitive flows such as payments, provisioning, and consent operations.
Possible evolution
Update the CAMARA ICM Security Profile to explicitly acknowledge these limitations and define a path for ensuring request integrity and replay protection. This will align the security posture of CAMARA APIs with production-grade requirements.
Alternative solution
Additional context
cc: @murthygorty @RamTMO