-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi assertion document authors,
Hi all,
I took a look at the assertion framework draft (draft-ietf-oauth-assertions-11)
and the SAML assertion profile document (draft-ietf-oauth-saml2-bearer-16.txt).
In general, I have to say that they are moving in the right direction. I see
progress.
In the assertion draft I particularly liked the improved clarity about what has
to be agreed out-of-band (which relates to interoperability):
"
Specific
items that require agreement are as follows: values for the issuer
and audience identifiers, supported assertion and client
authentication types, the location of the token endpoint, and the
key
used to apply and verify the digital signature or keyed message
digest over the assertion.
"
There are also various places where the number of options have been reduced.
Various clarifications in the text seem useful (e.g., the client id to
assertion mapping) although I have not checked them in detail.
I was hoping for more constraints (so that fewer aspects need to be configured
out-of-band) but I guess you guys are not willing to sacrifice flexibility. I
am sure you have noticed that there are a lot of things that need to be agreed
out-of-band. I hope you feel confident that those who deploy the specification
are willing to take these steps. But at least the spec is not silent about them
and provides the necessary information to the reader.
I also recognize improvements regarding the SAML assertion document. While the
use case description is still missing (that would give a bit more background
about what the deployment environment is) there is now a better example
available. The example illustrates an assertion grant; do you think it would be
useful to also show an example for a client authentication with the SAML
assertion?
I am planning to talk to Barry to see what he thinks about the updated document
and in the meanwhile I can read into the detailed changes.
Ciao
Hannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQEcBAEBCgAGBQJRpliZAAoJEGhJURNOOiAtEI0H/3iAd1FyAwPI+EsLri5rjE+q
Ic7NGknlQSG/wl9w2xGuq32OuPo/PihLTuEpqIsxwoia5O5wKSX0X42wxMR9dLVk
H9bSy5SFj8AoI66KPGeapBB6Lmuzm/7dWknJW9fv1BWIixEkAppY+M08aAYOHW6d
OcOy+fEP2x9sx/CE1l6goaXi2hR7M9witrTiGr3Yf/BYkE9ouaAnnZYP/UMrP78N
L2clRCykdzLMjjSzugNqnD6KJguHoH4JTnlDT3NS6jL+KwxgXUB5dd8OECuYzlbl
1Z3ORCzFrM7ODytH7HC7SCgsOkIyjb1/xFaTElkVFKkVmvR1rnBz/6+ydgJ+pVk=
=vLB5
-----END PGP SIGNATURE-----
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
