On Tue, Aug 11, 2015 at 12:08 AM, Mike Jones <michael.jo...@microsoft.com> wrote: > There didn’t seem to be support for having cnf contain array values. > Instead, as discussed in the thread “[OAUTH-WG] JWT PoP Key Semantics WGLC > followup 3 (was Re: confirmation model in proof-of-possession-02)”, if > different keys are being confirmed, they can define additional claims other > than “cnf” using the same structure as “cnf” to represent those > confirmations. Indeed, those other claims could be array-valued, if > appropriate. The reasons for having a structured “cnf” claim, rather than a > set of flattened claim values, were also discussed in that thread.
Can you send the link to that thread and the result if it differs from what Brian and Nat agree on? I'd like to know that there is enough to determine consensus on this point. Thanks! Kathleen > > > > Thanks again, > > -- Mike > > > > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell > Sent: Monday, March 23, 2015 9:07 AM > To: oauth > Subject: [OAUTH-WG] confirmation model in proof-of-possession-02 > > > > This is mostly about section 3.4 but also the whole draft. > > > If "cnf" is intended to analogous to the SAML 2.0 SubjectConfirmation > element, it should probably contain an array value rather than an object > value. SAML allows not just for multiple methods of confirming but for > multiple instances of the same method. IIRC, only one confirmation needs to > be confirmable. > > I'm not sure the extra complexity is worth it though. I've rarely, if ever, > seen SAML assertions that make use of it. > > If the intent is just to allow for different kinds of confirmation, couldn't > the structure be pared down and simplified and just have individual claims > for the different confirmation types? Like "cjwk" and "ckid" or similar that > have the jwk or kid value respectively as the member value. > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Best regards, Kathleen _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
