Re: I changed my mind about eliminating the Web browser "Post" profil e

security-services message

Subject: Re: I changed my mind about eliminating the Web browser "Post" profil e

From: Anders Rundgren <anders.rundgren@telia.com>

To: Hal Lockhart <hal.lockhart@entegrity.com>,OASIS SAML <security-services@lists.oasis-open.org>

Date: Fri, 31 Aug 2001 16:52:20 +0200

Hal,

I'm pleased to see that you changed your mind regarding the

POST profile as it can eliminate the need for additional

server-state that Artifacts introduce. I still think that

the bindings group should take a look on the issues raised in:

http://lists.oasis-open.org/archives/security-services/200108/msg00166.html

The earlier mentioned "JavaScript security issue" can be made much less

of a choice by actually letting the user's browser do the "decision".

If JavaScript-based solutions must be as appendices, the following

code belongs there:

<HTML>
<BODY BGCOLOR="#FFFFFF" >
<FORM METHOD="POST" ACTION="Destination-URL">
<NOSCRIPT>
<CENTER><H2>Your browser is JavaScript-disabled!</H2>
<H3>Click on the button below to manually continue the login</H3>
<INPUT TYPE="SUBMIT" VALUE="Continue"></CENTER>
</NOSCRIPT>
<INPUT TYPE="HIDDEN" NAME="SAMLAssertion" VALUE="Assertion in Base64-coding">
</FORM>
</BODY>
</HTML>

Only to please (?) you we have added this fallback code to our SAML-inspired

Purple demo so you can try with or without JavaScript enabled in your browser.

https://buyer.x-obi.com

Note: Don't try to run the "seller" app as it does not perform as expected

without JavaScript. Only authentication works.

My referred-to document has been updated accordingly:

http://www.x-obi.com/OBI400/andersr-browser-artifact.ppt

Regards

Anders

----- Original Message -----

From: "Hal Lockhart" <hal.lockhart@entegrity.com>

To: <security-services@lists.oasis-open.org>

Sent: Friday, August 31, 2001 16:41

Subject: I changed my mind about eliminating the Web browser "Post" profil e

At the F2F I agreed to document my proposal to drop the Browser "Form Post"
Profile. My reason was a hope we could avoid "Bearer" Assertions entirely.

I have been convinced that Bearer Assertions will be required. I can live
this providing:

1. They are clearly labled as such. (The current spec is almost there.)
2. They are only used in profiles where absolutely necessary.
3. Appropriate analysis is provided in Security Considerations.

As a consequence, I now agree with Prateek that we should continue to
develop both the "artifact" and the "Form Post" variants of the Browser
profile. The issue of which one or both is mandatory to implement can be
discussed later.

Hal

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>