Hello,
The draft http://tools.ietf.org/html/draft-ietf-oauth-assertions-01, section 6.1 has the following requirement: The Authorization Server MUST validate the assertion in order to establish a mapping between the Issuer and the secret used to generate the assertion. I thought that checking a signature is a part of the assertion validation, which cannot be done without knowing the mapping between the issuer and the secret used to generate the assertion. It appears that the quoted text requires validation of the assertion prior to checking the signature. What am I missing? Zachary From: [email protected] [mailto:[email protected]] On Behalf Of Tschofenig, Hannes (NSN - FI/Espoo) Sent: Thursday, April 05, 2012 10:47 AM To: [email protected] Subject: [OAUTH-WG] WGLC on Assertion Drafts Hi all, this is a Last Call for comments on these three documents: http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-10 http://tools.ietf.org/html/draft-ietf-oauth-assertions-01 http://tools.ietf.org/html/draft-ietf-oauth-urn-sub-ns-02 Please have your comments in no later than April 23rd. Do remember to send a note in if you have read the document and have no other comments other than "it's ready to go" - we need those as much as we need "I found a problem". Thanks! Hannes & Derek
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
