[Openid-specs-ab] acr text

Mike Jones Michael.Jones at microsoft.com
Sun Jun 2 21:36:46 UTC 2013


A must wouldn't be consistent with the rest of how we use claims.  Where two parties have a private agreement on the meanings of claims, we allow the use of private, unregistered names, per http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-08#section-4.3.  I don't think we should absolutely mandate the use of registered names in this case, when we don't anywhere else.

Also, some trust frameworks may experiment with a name before deciding that it's time to register it.  We shouldn't make that illegal.

A "SHOULD" is fine.

                                                            -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nat Sakimura
Sent: Sunday, June 02, 2013 2:31 PM
To: Bradley John; openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] acr text

Especially to John,

acr text says:

 An absolute URI or a registered name<http://openid.bitbucket.org/openid-connect-messages-1_0.html#RFC6711> [RFC6711] MAY be used as an acr value.

Is it really MAY? Is it not MUST?

=nat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130602/fb796821/attachment.html>


More information about the Openid-specs-ab mailing list