[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Why no issuer in SAML Artifact Document?
> One reason I could think of for not having the ProviderID and instead having > an SHA1 value of it is to prevent malicious requestor from obtaining the > document referred by the artifact. But this could be easily prevented by > requiring secure communication and signing the artifact resolve request. That is not the reason. The purpose is to make the artifact fixed length. It was decided that there was no use case on the horizon for dynamic discovery of a partner, because the work required to securely communicate with that partner in any meaningful sense was pretty large and would require a lot of work way outside the bounds of SAML. So compromising the fixed length just to send an identifier that by itself was useless in establishing a relationship wasn't popular. > I am no security expert or even close to it and am prtty sure the TC (which, > by the way produced wonderful specifications) didn't over look such > simplistic matters, so expect no proposal from me :). Thanks. I was being totally serious...SAML 1.1 had an artifact format in which the URL of the lookup service was sent by value. It's not a huge leap from that to sending the providerId, and it was considered. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]