[WRAP] Wrap Artifact Binding/Mobile Profile

John Bradley ve7jtb at ve7jtb.com
Tue Feb 16 21:09:42 UTC 2010 

We can't force everyone to do artifact.  We will still need to support associations in RP's.   
We cant just ditch the concept completely.

If we say the Artifact binding is a new binding and not an extension,  we can ditch the association handle.
If you want to do a per artifact secret that is fine with me.

It however will cause more divergence between the two bindings.

One is tempted to say redirect is the binding for 2.0 and artifact will be for v.next.

If the exchange is done over what is arguably a mutually authenticated encrypted channel I should be able to do a LoA 2 profile for openID.    LoA 3 will probably require a asymmetric signature as well for non repudiation.  

That is why being able to specify a return token type for the assertion may be an advantage.

John B.
On 2010-02-16, at 5:43 PM, Breno de Medeiros wrote:

> On Tue, Feb 16, 2010 at 12:34, Allen Tom <atom at yahoo-inc.com> wrote:
>> [-oauth-wrap-wg -- this conversation seems to be diverting from WRAP and
>> back to OpenID]
>> 
>> In the context of Artifact binding, there does not seem to be any reason to
>> have both an Artifact request and an Association request.
> 
> And generally there will not be ... associations will either be
> omitted (stateless mode) or infrequently combined with artifact. I
> don't think the efficiency concern is relevant.
> 
>> 
>> Also, I believe that one of the requirements for the artifact is that the RP
>> also gets a shared secret that's associated with the artifact in order to
>> convert the Artifact into an Assertion. We might as well combine them both.
> 
> I'd prefer not to. It will make implementation harder, not easier.
> 
>> 
>> Perhaps to make everyone happy - we can just say that Artifact requests
>> SHOULD not use an association handle. Association handles are optional
>> anyway.
> 
> This sounds sensible to me.
> 
>> 
>> Regarding DH - This is not really necessary if the OP only supports HTTPS.
>> 
>> Also - I was proposing that the Artifact/Association be only 1 time use -
>> not a long term association.
>> 
>> Allen
>> 
>> 
> 
> 
> 
> -- 
> --Breno
> 
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)

More information about the specs mailing list