Hi Brian, On 16 Mar 2010, at 10:51 AM, Brian Eaton wrote: > We didn't talk about the signed identity claims use case. Some > background on that is in this thread: > > http://www.ietf.org/mail-archive/web/oauth/current/msg00530.html > > Paul - does OpenSocial still need signed identity claims? > > Eve - does UMA still need signed identity claims, or are you handling > that outside of the OAuth spec?
UMA's core protocol is agnostic as to the format of the claims, though negotiating a desired claim format does have a few core-protocol implications. We anticipate that a couple of different formats are likely (strong interest has been expressed in SAML and JSON so far). We do have use cases for third-party-asserted claims as well as self-asserted claims, and we anticipate that the former would be most easily solved (maybe "easily" should be in scare quotes) with signatures. The use cases requiring this do tend to be for higher-security, higher-sensitivity applications (health, financial/insurance, etc.). Note that by "claims", I'm referring here to the access authorization claims that an authorization manager would ask a requester to produce in order to prove suitability for getting access. (The authorizing user might be delegating access to some protected web resource that contains identity claims about themselves; this is well outside the UMA core protocol.) Eve Eve Maler e...@xmlgrrl.com http://www.xmlgrrl.com/blog _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth