>>John Bradley wrote: >>> I suspect that we will need two OAuth bindings. One for TLS and one for >>> signed message. >> >>I agree. For instance, set “token_type”:”tls_client_cert” when the client has >>to use TLS; set “token_type”:”cms” when the client has to digitally sign >>messages using Crypto Message Syntax (CMS); …. > Perhaps JWT/JOSE rather than CMS:) > > Though there will need to be discussions about what part of the message needs > to be signed.
I was about to list JOSE as the example, but baulked precisely because of this issue. It wasn't obvious how a request to a protected resource would be wrapped in a JOSE message. At least with CMS (or WS-*, or XML DSig, or SOAP…) you can guess that the request is a POST of a signed blob. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
