There were some comments on the document made by Shawn Emery as part of a security directorate's review http://www.ietf.org/mail-archive/web/secdir/current/msg03679.html that seem to have gotten lost in the shuffle.
His editorial comments are spot on and I believe the changes he suggests should all be made. I'm not sure if a new draft or a RFC editor's note is more appropriate at this stage? The question about providing more guidance on the Assertion ID is a little less straightforward. The JWT and SAML instances of the framework both inherit some guidance from their respective token format definitions - http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06#section-4.1.7and ยง1.3.4 ID and ID Reference Values of saml-core-2.0-os. Perhaps that is sufficient. If we were to add something to draft-ietf-oauth-assertions, I'd probably look to borrow some text from one or both of those locations.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
