In the browser artifact profile, the assertions are required to use the
"artifact" confirmation method rather than "SenderVouches". This makes them
useless outside the profile, no matter what their lifetime is.
Well, in POST, the method is bearer, not sender vouches, but then again, I'm
not sure there's a real different in semantics there anyway...