--
You received this message because you are subscribed to the Google Groups "OAuth WRAP WG" group.
To post to this group, send email to oauth-...@googlegroups.com.
To unsubscribe from this group, send email to oauth-wrap-w...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/oauth-wrap-wg?hl=en.
In principal it would work. The only downside is that the artifact/token might be smaller if it were a simple SHA256 XORd with the association secret or something like that.I like the concept in principal if it doesn't compromise the ability to have a small response via GET.I had questions around the token format returned by the protected resource.(artifact resolution)John B.
_______________________________________________
specs mailing list
sp...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs
_______________________________________________
specs mailing list
sp...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs
HI Nat -
Why is association expensive? It should be no worse than issuing an artifact. I guess it depends on the underlying implementation.
--You received this message because you are subscribed to the Google Groups "OAuth WRAP WG" group.
To post to this group, send email to oauth-...@googlegroups.com.
To unsubscribe from this group, send email to oauth-wrap-w...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/oauth-wrap-wg?hl=en.
I prefer to come up with the best design then work around the politics.
I understand Nat has been trying to make progress on this as part of CX and then on it's own.
I am going to be at RSA if Nat is going perhaps we can get together there before the openID summit the following month.
John B.
On 2010-02-16, at 11:53 AM, Breno de Medeiros wrote:
> On Tue, Feb 16, 2010 at 04:22, John Bradley <ve7...@ve7jtb.com> wrote:
>> I suspect the advantage to extending the association is more political,
>> that way you can call it an extension.
>
> I could, but I'd be fabricating. The association request is not extensible.
>
>> I think practically it is better to keep the exchange of long term secrets
>> (Association) separate from the artifact resolution process.
>
> I agree.
>
>> If we want to do per request shared secrets say SHA256 vs re-using the long
>> term one I don't have a big problem with that.
>> I don't yet see a super compelling reason for it though.
>> John B.
>
> Ditto.