[WRAP] Wrap Artifact Binding/Mobile Profile

Breno de Medeiros breno at google.com
Tue Feb 16 21:11:27 UTC 2010 

On Tue, Feb 16, 2010 at 13:09, John Bradley <ve7jtb at ve7jtb.com> wrote:
> We can't force everyone to do artifact.  We will still need to support associations in RP's.
> We cant just ditch the concept completely.
>
> If we say the Artifact binding is a new binding and not an extension,  we can ditch the association handle.

I have seen no viable proposal to make it an extension.

> If you want to do a per artifact secret that is fine with me.
>
> It however will cause more divergence between the two bindings.
>
> One is tempted to say redirect is the binding for 2.0 and artifact will be for v.next.
>
> If the exchange is done over what is arguably a mutually authenticated encrypted channel I should be able to do a LoA 2 profile for openID.    LoA 3 will probably require a asymmetric signature as well for non repudiation.
>
> That is why being able to specify a return token type for the assertion may be an advantage.
>
> John B.
> On 2010-02-16, at 5:43 PM, Breno de Medeiros wrote:
>
>> On Tue, Feb 16, 2010 at 12:34, Allen Tom <atom at yahoo-inc.com> wrote:
>>> [-oauth-wrap-wg -- this conversation seems to be diverting from WRAP and
>>> back to OpenID]
>>>
>>> In the context of Artifact binding, there does not seem to be any reason to
>>> have both an Artifact request and an Association request.
>>
>> And generally there will not be ... associations will either be
>> omitted (stateless mode) or infrequently combined with artifact. I
>> don't think the efficiency concern is relevant.
>>
>>>
>>> Also, I believe that one of the requirements for the artifact is that the RP
>>> also gets a shared secret that's associated with the artifact in order to
>>> convert the Artifact into an Assertion. We might as well combine them both.
>>
>> I'd prefer not to. It will make implementation harder, not easier.
>>
>>>
>>> Perhaps to make everyone happy - we can just say that Artifact requests
>>> SHOULD not use an association handle. Association handles are optional
>>> anyway.
>>
>> This sounds sensible to me.
>>
>>>
>>> Regarding DH - This is not really necessary if the OP only supports HTTPS.
>>>
>>> Also - I was proposing that the Artifact/Association be only 1 time use -
>>> not a long term association.
>>>
>>> Allen
>>>
>>>
>>
>>
>>
>> --
>> --Breno
>>
>> +1 (650) 214-1007 desk
>> +1 (408) 212-0135 (Grand Central)
>> MTV-41-3 : 383-A
>> PST (GMT-8) / PDT(GMT-7)
>
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

More information about the specs mailing list