[Openid-specs-ab] acr text
Michael.Jones at microsoft.com
Sun Jun 2 21:36:46 UTC 2013
A must wouldn't be consistent with the rest of how we use claims. Where two parties have a private agreement on the meanings of claims, we allow the use of private, unregistered names, per http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-08#section-4.3. I don't think we should absolutely mandate the use of registered names in this case, when we don't anywhere else.
Also, some trust frameworks may experiment with a name before deciding that it's time to register it. We shouldn't make that illegal.
A "SHOULD" is fine.
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nat Sakimura
Sent: Sunday, June 02, 2013 2:31 PM
To: Bradley John; openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] acr text
Especially to John,
acr text says:
An absolute URI or a registered name<http://openid.bitbucket.org/openid-connect-messages-1_0.html#RFC6711> [RFC6711] MAY be used as an acr value.
Is it really MAY? Is it not MUST?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab