[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Proposed change to POST-SimpleSign binding draft 02
My proposal to JeffH after last call was to address the question of how to tell the difference between this binding and the original POST binding by making this a compatible superset of the original. To do that, I suggested that the Signature form parameter (the blob signature) be used as a clear signal that this binding is being used. Unsigned messages could be processed by an implementation of either POST binding, and it's left to deployers and profiles to decide whether no signature is allowable or not. Even now, we allow that, and it's up to the SSO consumer to enforce the restriction that the assertion be signed. But if you had a signed Response (signed as XML I mean), you should be legally able to send it via the POST-SimpleSign binding as long as you also include the simplified Signature as well. The upshot is that there's just a single change to the last draft, making it legal to leave the original XML Signature in place (right now it's a MUST to remove it). There's no space limitation like with Redirect, which is where the MUST came from. As a result of the change, it will be possible for existing POST implementations to easily update themselves to support this binding, or layer their implementation of each one to share most of the same code. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]