Actually, I think it is a good time to start looking at the resourse owner issuing assertions@ (Interestingly enough, Hui-Lan had brought this up a couple of years ago.)
Igor On 12/3/2012 3:58 AM, Nat Sakimura wrote: > I suppose, yes. I was reading it like that all the time. > Whether it is or not, if it is still ok, it might be better to clarify > it. > Word like "third party" tends to be a bit of problem without clearly > defining. > I had similar experience in other fora. > > Nat > > Sent from iPad > > 2012/12/03 0:52、"zhou.suj...@zte.com.cn > <mailto:zhou.suj...@zte.com.cn>" <zhou.suj...@zte.com.cn > <mailto:zhou.suj...@zte.com.cn>> のメッセ�`ジ: > >> >> could be Resource owner? >> >> >> *"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofe...@nsn.com >> <mailto:hannes.tschofe...@nsn.com>>* >> 发件人: oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org> >> >> 2012-12-03 16:49 >> >> >> 收件人 >> "ext Nat Sakimura" <sakim...@gmail.com <mailto:sakim...@gmail.com>>, >> "Brian Campbell" <bcampb...@pingidentity.com >> <mailto:bcampb...@pingidentity.com>>, "oauth" <oauth@ietf.org >> <mailto:oauth@ietf.org>> >> 抄送 >> >> 主题 >> Re: [OAUTH-WG] Assertion Framework - Why does issuer have to be >> either the client or a third party token service? >> >> >> >> >> >> >> >> >> >> Hi Nat, >> >> The current text essentially says that the assertion can either be >> created by the client (in which case it is self-signed) or it can be >> created by some other entity (which is then called the third party >> token service). So, this third party could be the authorization server. >> >> Ciao >> Hannes >> >> >> *From:* oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org> >> [mailto:oauth-boun...@ietf.org] *On Behalf Of *ext Nat Sakimura* >> Sent:* Monday, December 03, 2012 10:35 AM* >> To:* Brian Campbell; oauth* >> Subject:* [OAUTH-WG] Assertion Framework - Why does issuer have to be >> either the client or a third party token service? >> >> Hi Brian, >> >> >> The assertion framework defines the Issuer as: >> >> Issuer The unique identifier for the entity that issued the >> assertion. Generally this is the entity that holds the key >> material used to generate the assertion. The issuer may be either >> an OAuth client (when assertions are self-issued) or a third party >> token service. >> >> I was wondering why it has to be either the client or a third party >> token service. >> Conceptually, it could be any token service (functionality) residing >> in any of >> >> the stakeholders (Resource Owner, OAuth Client, Authorization Server, or >> a third party). >> >> >> I would appreciate if you could clarify why is the case. >> >> >> Best, >> >> -- >> Nat Sakimura (=nat) >> Chairman, OpenID Foundation_ >> __http://nat.sakimura.org/_ >> @_nat_en >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
