Using individual claims for the different confirmation types would convey the same information with a reduced message size, likely simpler implementation, and avoid the need to establish a new registry.
Seems like a no-brainer to me but maybe I'm overlooking something? There hasn't been much discussion that I'm aware of. Nat seemed in favor of it (the +1 below). Mike was dismissive of it at the Dallas meeting but didn't provide any reasoning (that I understood anyway). On Mon, Mar 23, 2015 at 10:18 AM, Nat Sakimura <[email protected]> wrote: > +1 > > =nat via iPhone > > 2015/03/23 11:07、Brian Campbell <[email protected]> のメッセージ: > > This is mostly about section 3.4 > <https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-02#section-3.4> > but also the whole draft. > > If "cnf" is intended to analogous to the SAML 2.0 SubjectConfirmation > element, it should probably contain an array value rather than an object > value. SAML allows not just for multiple methods of confirming but for > multiple instances of the same method. IIRC, only one confirmation needs to > be confirmable. > > I'm not sure the extra complexity is worth it though. I've rarely, if > ever, seen SAML assertions that make use of it. > > If the intent is just to allow for different kinds of confirmation, > couldn't the structure be pared down and simplified and just have > individual claims for the different confirmation types? Like "cjwk" and > "ckid" or similar that have the jwk or kid value respectively as the member > value. > > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
