[WRAP] Wrap Artifact Binding/Mobile Profile
Breno de Medeiros
breno at google.com
Tue Feb 16 20:43:47 UTC 2010
On Tue, Feb 16, 2010 at 12:34, Allen Tom <atom at yahoo-inc.com> wrote:
> [-oauth-wrap-wg -- this conversation seems to be diverting from WRAP and
> back to OpenID]
>
> In the context of Artifact binding, there does not seem to be any reason to
> have both an Artifact request and an Association request.
And generally there will not be ... associations will either be
omitted (stateless mode) or infrequently combined with artifact. I
don't think the efficiency concern is relevant.
>
> Also, I believe that one of the requirements for the artifact is that the RP
> also gets a shared secret that's associated with the artifact in order to
> convert the Artifact into an Assertion. We might as well combine them both.
I'd prefer not to. It will make implementation harder, not easier.
>
> Perhaps to make everyone happy - we can just say that Artifact requests
> SHOULD not use an association handle. Association handles are optional
> anyway.
This sounds sensible to me.
>
> Regarding DH - This is not really necessary if the OP only supports HTTPS.
>
> Also - I was proposing that the Artifact/Association be only 1 time use -
> not a long term association.
>
> Allen
>
>
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
More information about the specs
mailing list