Re: [OAUTH-WG] Assertion Framework - Why does issuer have to be either the client or a third party token service?

zhou.sujing@zte.com.cn Tue, 04 December 2012 02:07 UTC

Return-Path: <zhou.sujing@zte.com.cn>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9D8B21F865F; Mon, 3 Dec 2012 18:07:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.795
X-Spam-Level:
X-Spam-Status: No, score=-97.795 tagged_above=-999 required=5 tests=[AWL=0.600, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HO8y0CCpRjSp; Mon, 3 Dec 2012 18:07:15 -0800 (PST)
Received: from zte.com.cn (mx6.zte.com.cn [95.130.199.165]) by ietfa.amsl.com (Postfix) with ESMTP id 7A9D221F8621; Mon, 3 Dec 2012 18:07:14 -0800 (PST)
Received: from zte.com.cn (unknown [192.168.168.119]) by Websense Email Security Gateway with ESMTP id 4EE7782E19; Tue, 4 Dec 2012 10:07:06 +0800 (CST)
Received: from mse02.zte.com.cn (unknown [10.30.3.21]) by Websense Email Security Gateway with ESMTPS id 3DDAC71AFC0; Tue, 4 Dec 2012 10:05:18 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id qB426t5p044173; Tue, 4 Dec 2012 10:06:55 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn)
In-Reply-To: <50BCE1CF.2000202@alcatel-lucent.com>
To: igor.faynberg@alcatel-lucent.com
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OF66608A54.1DE77733-ON48257ACA.000BA350-48257ACA.000BBACF@zte.com.cn>
From: zhou.sujing@zte.com.cn
Date: Tue, 04 Dec 2012 10:06:50 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.3FP1 HF212|May 23, 2012) at 2012-12-04 10:06:54, Serialize complete at 2012-12-04 10:06:54
Content-Type: multipart/alternative; boundary="=_alternative 000BBACC48257ACA_="
X-MAIL: mse02.zte.com.cn qB426t5p044173
Cc: oauth@ietf.org, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Assertion Framework - Why does issuer have to be either the client or a third party token service?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Dec 2012 02:07:16 -0000

+1.
And why it was not looked at that time? 

oauth-bounces@ietf.org дÓÚ 2012-12-04 01:30:55:

> Actually, I think it is a good time to start looking at the resourse
> owner issuing assertions@ (Interestingly enough, Hui-Lan had brought
> this up a couple of years ago.)
> 
> Igor
> 
> On 12/3/2012 3:58 AM, Nat Sakimura wrote: 
> I suppose, yes. I was reading it like that all the time. 
> Whether it is or not, if it is still ok, it might be better to clarify 
it. 
> Word like "third party" tends to be a bit of problem without 
clearlydefining. 
> I had similar experience in other fora. 
> 
> Nat
> 
> Sent from iPad
> 
> 2012/12/03 0:52¡¢"zhou.sujing@zte.com.cn" <zhou.sujing@zte.com.cn> ¤Î
> ¥á¥Ã¥»©`¥¸:

> 
> could be Resource owner? 
> 

> 
> "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> 
> ·¢¼þÈË:  oauth-bounces@ietf.org 
> 2012-12-03 16:49 
> 
> ÊÕ¼þÈË
> 
> "ext Nat Sakimura" <sakimura@gmail.com>, "Brian Campbell" <
> bcampbell@pingidentity.com>, "oauth" <oauth@ietf.org> 
> 
> ³­ËÍ
> 
> Ö÷Ìâ
> 
> Re: [OAUTH-WG] Assertion Framework - Why does issuer have to be 
> either the client or a third party token service?
> 
> 
> 
> 
> Hi Nat, 
> 
> The current text essentially says that the assertion can either be 
> created by the client (in which case it is self-signed) or it can be
> created by some other entity (which is then called the third party 
> token service). So, this third party could be the authorization server. 
> 
> Ciao
> Hannes 
> 
> 
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf 
Of 
> ext Nat Sakimura
> Sent: Monday, December 03, 2012 10:35 AM
> To: Brian Campbell; oauth
> Subject: [OAUTH-WG] Assertion Framework - Why does issuer have to be
> either the client or a third party token service? 
> 
> Hi Brian, 
> 
> 
> The assertion framework defines the Issuer as: 
> 
>    Issuer  The unique identifier for the entity that issued the 
>       assertion.  Generally this is the entity that holds the key 
>       material used to generate the assertion.  The issuer may be either 

>       an OAuth client (when assertions are self-issued) or a third party 

>       token service. 
> 
> I was wondering why it has to be either the client or a third party 
> token service. 
> Conceptually, it could be any token service (functionality) residingin 
any of 
> 
> the stakeholders (Resource Owner, OAuth Client, Authorization Server, or 

> a third party). 
> 
> 
> I would appreciate if you could clarify why is the case. 
> 
> 
> Best, 
> 
> -- 
> Nat Sakimura (=nat) 
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en 
>  _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth