[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] sstc-bindings-extensions-02
>I have added a GET-oriented flow from the destination site to the source >site. It follows Scott's POST-based flows very closely; for some required >values I have chosen fixed-size strings in place of the unbounded strings >used in the POST case. Other than that, the two flows are quite similar. I like the notion of essentially divorcing these two flows from each other and basically not trying to directly map all of the XML in <Request> to a URL, which I think is a losing proposition. General comments: Since the query string is entirely defined by this profile, I suggest saving space by reducing the size of the parameter names, particularly dropping the SAML prefix in each case (no, it's not much, but it's of zero-processing value). Doesn't base64 generally inflate the size of what it encodes? I would think straight URL encoding of the data per usual practice would make more sense in most cases. Some of the length limitations seem a little tight, particularly the RequestID. I would imagine I'm not the only one who would have implemented their IDs as UUIDs, which are more than 20 bytes. I could special case this ID, but in general, I think we can relax some of these limits and still end up in fairly good shape, length-wise. I would prefer somewhat less hashing of URIs and things, and more SHOULDs about length. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]