[WRAP] Wrap Artifact Binding/Mobile Profile
Allen Tom
atom at yahoo-inc.com
Tue Feb 16 20:34:05 UTC 2010
[-oauth-wrap-wg -- this conversation seems to be diverting from WRAP and
back to OpenID]
In the context of Artifact binding, there does not seem to be any reason to
have both an Artifact request and an Association request.
Also, I believe that one of the requirements for the artifact is that the RP
also gets a shared secret that's associated with the artifact in order to
convert the Artifact into an Assertion. We might as well combine them both.
Perhaps to make everyone happy - we can just say that Artifact requests
SHOULD not use an association handle. Association handles are optional
anyway.
Regarding DH - This is not really necessary if the OP only supports HTTPS.
Also - I was proposing that the Artifact/Association be only 1 time use -
not a long term association.
Allen
More information about the specs
mailing list