On Thu, Aug 12, 2010 at 2:04 PM, David Recordon <record...@gmail.com> wrote: > Given that, would you strongly object to these proposals being written > in a separate document than the core spec? The device flow is a good > example of where we're doing this. We really think that it will be > useful, are working on implementations, but it hasn't yet been proven > in production.
The assertion flow should stay in core (others have expressed this opinion as well). I've got interop tested code built on that that is about to GA. As far as the client assertions, I do believe there's real value in having a clean extension point for stronger forms of client authentication. Yaron's proposed language does a pretty good job I think. But if it can be done in a simpler way, let's discuss. I'll probably regret saying this, but what about not using the word "assertion" for stronger client auth options? That might help eliminate some confusion. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth