[-oauth-wrap-wg -- this conversation seems to be diverting from WRAP and back to OpenID]
In the context of Artifact binding, there does not seem to be any reason to have both an Artifact request and an Association request. Also, I believe that one of the requirements for the artifact is that the RP also gets a shared secret that's associated with the artifact in order to convert the Artifact into an Assertion. We might as well combine them both. Perhaps to make everyone happy - we can just say that Artifact requests SHOULD not use an association handle. Association handles are optional anyway. Regarding DH - This is not really necessary if the OP only supports HTTPS. Also - I was proposing that the Artifact/Association be only 1 time use - not a long term association. Allen _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
