That's what you get for duplicating all the text :) On Thu, Oct 16, 2014 at 2:00 PM, Brian Campbell <bcampb...@pingidentity.com> wrote:
> Basically the same response to the basically same question as from > http://www.ietf.org/mail-archive/web/oauth/current/msg13608.html > > On Wed, Oct 15, 2014 at 9:56 PM, Richard Barnes <r...@ipv.sx> wrote: > >> Richard Barnes has entered the following ballot position for >> draft-ietf-oauth-saml2-bearer-21: Discuss >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer/ >> >> >> >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> As with draft-ietf-oauth-assertions, the requirement for an <Audience> >> element seems entirely unnecessary. Holding this DISCUSS point pending >> that discussion and its reflection in this document. >> >> "Assertions that do not identify the Authorization Server as an intended >> audience MUST be rejected." -- What does it mean for an assertion to >> "identify the Authorization Server"? Does the specified <Audience> need >> to match the entire URL of the relevant OAuth endpoint? Just the origin? >> Just the domain? Does the URL need to be canonicalized? >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth