Basically the same response to the basically same question as from http://www.ietf.org/mail-archive/web/oauth/current/msg13608.html
On Wed, Oct 15, 2014 at 9:56 PM, Richard Barnes <r...@ipv.sx> wrote: > Richard Barnes has entered the following ballot position for > draft-ietf-oauth-saml2-bearer-21: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > As with draft-ietf-oauth-assertions, the requirement for an <Audience> > element seems entirely unnecessary. Holding this DISCUSS point pending > that discussion and its reflection in this document. > > "Assertions that do not identify the Authorization Server as an intended > audience MUST be rejected." -- What does it mean for an assertion to > "identify the Authorization Server"? Does the specified <Audience> need > to match the entire URL of the relevant OAuth endpoint? Just the origin? > Just the domain? Does the URL need to be canonicalized? > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth