Given that, would you strongly object to these proposals being written in a separate document than the core spec? The device flow is a good example of where we're doing this. We really think that it will be useful, are working on implementations, but it hasn't yet been proven in production.
On Thu, Aug 12, 2010 at 4:01 PM, Brian Campbell <bcampb...@pingidentity.com> wrote: > I generally agree more with Chuck, David and Brain E than I don't. > But I do think that someone will find a pragmatic reason for > 1 > assertion eventually and I think the proposal earlier in this thread > to allow for multiple occurrences of the assertion parameter in the > core spec will make that easier for a number of instantiations of the > assertion flow (grant type) at a later time. It adds some complexity > but I don't think a lot. And specifications or pairwise agreements > building on the assertion flow could easily constrain down to a single > assertion, if it suits the profile. > > That's the only change proposal to the core spec that's come out of > discussion around my I-D > http://www.ietf.org/id/draft-campbell-oauth-saml-00.txt (that I can > think of). I'm still not sure if it makes sense to allow for multiple > assertions in the next draft of that, but allowing for multiple > assertion params in core sure seems like a cleaner way to do it. > > Yaron's proposal for a Section 2.2 on Client Assertions is a change to > core as well (latest in that thread: > http://www.ietf.org/mail-archive/web/oauth/current/msg04154.html). > However, even though it uses the term assertion similarly, it's a > distinct issue from the SAML work. The latter is a SAML based usage > of the assertion grant type while the former I think of it more as a > means of allowing for stronger forms of client authentication than > just a client password/secret. > > I guess both could be used in a two-legged style interaction (or used > together) and maybe that's where it starts to get confusing... > > > > On Thu, Aug 12, 2010 at 1:38 PM, Brian Eaton <bea...@google.com> wrote: >> On Thu, Aug 12, 2010 at 12:36 PM, David Recordon <record...@gmail.com> wrote: >>> I've only been half following the recent assertion threads for this >>> exact reason. I don't understand how these proposals are going to be >>> used and worry about any additional complexity added to the spec. >> >> Likewise. >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
