More on data formats

Lloyd Hilaiel lhilaiel at
Wed Nov 20 01:41:33 PST 2013

I love this:

I'm on board with all of these changes.

A couple of thoughts:

1. That an assertion lacks `iat` makes robust date range checking
difficult.  Specifically, it's hard to verify that you don't have an
assertion with a future issue time.  shall we add `iat` to assertion

2. Let's explicitly cover extensibility [1]:

2a. As an IdP I want to embed extra information in the user's
certificate.  where do I put it?
2b. As a user agent, I want to embed extra information in an identity
assertion.  where do I put it?
2c. As an IdP, I want to add information about the (was: principal)
subject of the assertion, do I extend with properties in the sub key?

Note: My motivation here is generating an assertion verification
library that can extract extra properties that are signed, without
having to understand them.

I love this work, djc.  How do others feel about this?


[1] -
section 4.2 and 4.3 are pretty wild west about private extension
naming.  but the suggestion seems to be to add properties as you

More information about the Dev-fxacct mailing list