OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Why no issuer in SAML Artifact Document?

> One reason I could think of for not having the ProviderID and instead
> an SHA1 value of it is to prevent malicious requestor from obtaining the 
> document referred by the artifact. But this could be easily prevented by 
> requiring secure communication and signing the artifact resolve request.

That is not the reason. The purpose is to make the artifact fixed length.

It was decided that there was no use case on the horizon for dynamic
discovery of a partner, because the work required to securely communicate
with that partner in any meaningful sense was pretty large and would require
a lot of work way outside the bounds of SAML. So compromising the fixed
length just to send an identifier that by itself was useless in establishing
a relationship wasn't popular.

> I am no security expert or even close to it and am prtty sure the TC
> by the way produced wonderful specifications) didn't over look such 
> simplistic matters, so expect no proposal from me :). Thanks.

I was being totally serious...SAML 1.1 had an artifact format in which the
URL of the lookup service was sent by value. It's not a huge leap from that
to sending the providerId, and it was considered.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]