On Tue, Feb 16, 2010 at 12:34, Allen Tom <[email protected]> wrote: > [-oauth-wrap-wg -- this conversation seems to be diverting from WRAP and > back to OpenID] > > In the context of Artifact binding, there does not seem to be any reason to > have both an Artifact request and an Association request.
And generally there will not be ... associations will either be omitted (stateless mode) or infrequently combined with artifact. I don't think the efficiency concern is relevant. > > Also, I believe that one of the requirements for the artifact is that the RP > also gets a shared secret that's associated with the artifact in order to > convert the Artifact into an Assertion. We might as well combine them both. I'd prefer not to. It will make implementation harder, not easier. > > Perhaps to make everyone happy - we can just say that Artifact requests > SHOULD not use an association handle. Association handles are optional > anyway. This sounds sensible to me. > > Regarding DH - This is not really necessary if the OP only supports HTTPS. > > Also - I was proposing that the Artifact/Association be only 1 time use - > not a long term association. > > Allen > > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
