I think this part of sec 3 of assertions states that: The protocol parameters and processing rules defined in this document are intended to support a client presenting a bearer assertion to an authorization server. The use of holder-of-key assertions are not precluded by this document, but additional protocol details would need to be specified.
As part of defining the additional protocol details for holder-of-key/PoP we can relax the must for audience in the profile that defines how to use those assertion types. John B. On Oct 17, 2014, at 2:25 PM, Pete Resnick <presn...@qti.qualcomm.com> wrote: > On 10/17/14 12:09 PM, Mike Jones wrote: >> >> This is the standard mitigation for a known set of actual attacks. We >> shouldn’t even consider making it optional. >> >> > > Do you mean you shouldn't consider making it optional for HoK? Again, making > it clear that the MUST applies only to bearer assertions, and that future > extensions for HoK might have different requirements, is all that is being > asked for here. > > pr > -- > Pete Resnick <http://www.qualcomm.com/~presnick/> > Qualcomm Technologies, Inc. - +1 (858)651-4478
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth