Hi all, I read through the mailing list discussion raised by Nat in this mail to the list on the 3rd of December, see http://www.ietf.org/mail-archive/web/oauth/current/msg10203.html
There were two types of issues: 1) The current text about the issuer (in Section 5.1 of <draft-ietf-oauth-assertions-08.txt> says that the assertion can either be created by the client (in which case it is self-signed) or it can be created by some other entity. There was, however, the perception that the current text, in the way it is worded, creates the impression that third party token services excludes entities like the resource owner. 2) Some folks had the idea that the resource owner could create the assertion and they had a specific use case in mind. While this is not a currently deployed scenario (using OAuth technology) there seem to be some other deployment (the Austrian eID card deployment was mentioned by Nat) that could be re-build with this support in mind. It seemed that just mentioning that the resource owner could create the assertion wouldn't be enough to understand the scenario. A more detailed writeup of the envisioned scenario would be needed but has not been provided to the mailing list. To me it seems that the best approach would be to do the following: a) to update the text in Section 5.1 as suggested by Nat in his mail http://www.ietf.org/mail-archive/web/oauth/current/msg10222.html This by itself would not lead to any normative text change but may make it clear what the intention was. b) to encourage those who care about the use case where the resource owner creates the assertion to compile a document and to submit it to the group. This would allow us to evaluate whether all the required functionality is indeed available. Ciao Hannes _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
