On Tue, Feb 16, 2010 at 13:09, John Bradley <[email protected]> wrote: > We can't force everyone to do artifact. We will still need to support > associations in RP's. > We cant just ditch the concept completely. > > If we say the Artifact binding is a new binding and not an extension, we can > ditch the association handle.
I have seen no viable proposal to make it an extension. > If you want to do a per artifact secret that is fine with me. > > It however will cause more divergence between the two bindings. > > One is tempted to say redirect is the binding for 2.0 and artifact will be > for v.next. > > If the exchange is done over what is arguably a mutually authenticated > encrypted channel I should be able to do a LoA 2 profile for openID. LoA 3 > will probably require a asymmetric signature as well for non repudiation. > > That is why being able to specify a return token type for the assertion may > be an advantage. > > John B. > On 2010-02-16, at 5:43 PM, Breno de Medeiros wrote: > >> On Tue, Feb 16, 2010 at 12:34, Allen Tom <[email protected]> wrote: >>> [-oauth-wrap-wg -- this conversation seems to be diverting from WRAP and >>> back to OpenID] >>> >>> In the context of Artifact binding, there does not seem to be any reason to >>> have both an Artifact request and an Association request. >> >> And generally there will not be ... associations will either be >> omitted (stateless mode) or infrequently combined with artifact. I >> don't think the efficiency concern is relevant. >> >>> >>> Also, I believe that one of the requirements for the artifact is that the RP >>> also gets a shared secret that's associated with the artifact in order to >>> convert the Artifact into an Assertion. We might as well combine them both. >> >> I'd prefer not to. It will make implementation harder, not easier. >> >>> >>> Perhaps to make everyone happy - we can just say that Artifact requests >>> SHOULD not use an association handle. Association handles are optional >>> anyway. >> >> This sounds sensible to me. >> >>> >>> Regarding DH - This is not really necessary if the OP only supports HTTPS. >>> >>> Also - I was proposing that the Artifact/Association be only 1 time use - >>> not a long term association. >>> >>> Allen >>> >>> >> >> >> >> -- >> --Breno >> >> +1 (650) 214-1007 desk >> +1 (408) 212-0135 (Grand Central) >> MTV-41-3 : 383-A >> PST (GMT-8) / PDT(GMT-7) > > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
