Re: [saml-dev] Why no issuer in SAML Artifact Document?

["Kunal Gandhi" <kunal@amsoft.net>]

----- Original Message ----- 
From: "Scott Cantor" <cantor.2@osu.edu>
To: "'Kunal Gandhi'" <kunal@amsoft.net>; <saml-dev@lists.oasis-open.org>
Sent: Friday, October 21, 2005 8:21 PM
Subject: RE: [saml-dev] Why no issuer in SAML Artifact Document?


>> Could any one tell the reason(s) as to why there is no
>> <Issuer> element in SAML Artifact Document?
> > A SAML artifact is not a document. It's a string, generally fixed 
> > length,
> that is encoded with the information required to locate the peer who sent 
> a
> corresponding message.
>
####### Kunal wrote: ##########
If the artifact here means an *old* substance/document or a referrer to it, 
it should just contain the message handle (and send the ProviderID as it 
is).
One reason I could think of for not having the ProviderID and instead having 
an SHA1 value of it is to prevent malicious requestor from obtaining the 
document referred by the artifact. But this could be easily prevented by 
requiring secure communication and signing the artifact resolve request.

I am no security expert or even close to it and am prtty sure the TC (which, 
by the way produced wonderful specifications) didn't over look such 
simplistic matters, so expect no proposal from me :). Thanks.
############################

> If the artifact structure doesn't provide you the information you need, 
> then
> you have a different use case and probably shouldn't use artifacts.
>
> You could also define your own artifact format, but nobody else is likely 
> to
> support it. If you think the format is necessary to the standard, then you
> should probably consider joining the TC and submitting it as a proposal.
>
> -- Scott
>
>