ยง6.1 on Client authentication* has the following requirement, "The Principal MUST identify an authorized accessor. If the assertion is self-issued, the Principal SHOULD be the client_id."
which doesn't really make sense for client authentication. The self-issuedness of the assertion should have no bearing on the principal (rather the issuer) and, when used for client authentication, the principal should always represent the client. I believe the bullet should instead say, "The Principal SHOULD be the client_id." * http://tools.ietf.org/html/draft-ietf-oauth-assertions-01#section-6.1
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth