More on data formats
Lloyd Hilaiel
lhilaiel at mozilla.com
Wed Nov 20 01:41:33 PST 2013
I love this: https://github.com/djc/id-specs/blob/prod/browserid/json-formats.md
I'm on board with all of these changes.
A couple of thoughts:
1. That an assertion lacks `iat` makes robust date range checking
difficult. Specifically, it's hard to verify that you don't have an
assertion with a future issue time. shall we add `iat` to assertion
format?
2. Let's explicitly cover extensibility [1]:
2a. As an IdP I want to embed extra information in the user's
certificate. where do I put it?
2b. As a user agent, I want to embed extra information in an identity
assertion. where do I put it?
2c. As an IdP, I want to add information about the (was: principal)
subject of the assertion, do I extend with properties in the sub key?
Note: My motivation here is generating an assertion verification
library that can extract extra properties that are signed, without
having to understand them.
I love this work, djc. How do others feel about this?
lloyd
[1] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-17 -
section 4.2 and 4.3 are pretty wild west about private extension
naming. but the suggestion seems to be to add properties as you
extend.
More information about the Dev-fxacct
mailing list