Richard Barnes has entered the following ballot position for draft-ietf-oauth-saml2-bearer-21: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- As with draft-ietf-oauth-assertions, the requirement for an <Audience> element seems entirely unnecessary. Holding this DISCUSS point pending that discussion and its reflection in this document. "Assertions that do not identify the Authorization Server as an intended audience MUST be rejected." -- What does it mean for an assertion to "identify the Authorization Server"? Does the specified <Audience> need to match the entire URL of the relevant OAuth endpoint? Just the origin? Just the domain? Does the URL need to be canonicalized? _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
