Hi Brian,
On 16 Mar 2010, at 10:51 AM, Brian Eaton wrote:
> We didn't talk about the signed identity claims use case. Some
> background on that is in this thread:
>
> http://www.ietf.org/mail-archive/web/oauth/current/msg00530.html
>
> Paul - does OpenSocial still need signed identity claims?
>
> Eve - does UMA still need signed identity claims, or are you handling
> that outside of the OAuth spec?
UMA's core protocol is agnostic as to the format of the claims, though
negotiating a desired claim format does have a few core-protocol implications.
We anticipate that a couple of different formats are likely (strong interest
has been expressed in SAML and JSON so far).
We do have use cases for third-party-asserted claims as well as self-asserted
claims, and we anticipate that the former would be most easily solved (maybe
"easily" should be in scare quotes) with signatures. The use cases requiring
this do tend to be for higher-security, higher-sensitivity applications
(health, financial/insurance, etc.).
Note that by "claims", I'm referring here to the access authorization claims
that an authorization manager would ask a requester to produce in order to
prove suitability for getting access. (The authorizing user might be
delegating access to some protected web resource that contains identity claims
about themselves; this is well outside the UMA core protocol.)
Eve
Eve Maler
[email protected]
http://www.xmlgrrl.com/blog
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
