MTLS - Proof of Possession at the Application Layer

The expensive part of the validation occurs at the handshake. The cheap check occurs on the token validation where you're just comparing a hash to make sure the certificate on the underlying connection presented by the client matches the one that the token was issued to. But that again is relatively inexpensive. That's a good segue into the next part, which I wanted to ask you a little bit about the demonstrating proof of possession at the application layer. They are the deep opportunity to match research on.