OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: I changed my mind about eliminating the Web browser "Post" profil e

I'm pleased to see that you changed your mind regarding the
POST profile as it can eliminate the need for additional
server-state that Artifacts introduce.  I still think that
the bindings group should take a look on the issues raised in:
The earlier mentioned "JavaScript security issue" can be made much less
of a choice by actually letting the user's browser do the "decision".
If JavaScript-based solutions must be as appendices, the following
code belongs there:
<CENTER><H2>Your browser is JavaScript-disabled!</H2>
<H3>Click on the button below to manually continue the login</H3>
<INPUT TYPE="HIDDEN" NAME="SAMLAssertion" VALUE="Assertion in Base64-coding">
Only to please (?) you we have added this fallback code to our SAML-inspired
Purple demo so you can try with or without JavaScript enabled in your browser.

Note: Don't try to run the "seller" app as it does not perform as expected
without JavaScript.  Only authentication works.
My referred-to document has been updated accordingly:
----- Original Message -----
From: "Hal Lockhart" <hal.lockhart@entegrity.com>
Sent: Friday, August 31, 2001 16:41
Subject: I changed my mind about eliminating the Web browser "Post" profil e

At the F2F I agreed to document my proposal to drop the Browser "Form Post"
Profile.  My reason was a hope we could avoid "Bearer" Assertions entirely.

I have been convinced that Bearer Assertions will be required. I can live
this providing:

1. They are clearly labled as such. (The current spec is almost there.)
2. They are only used in profiles where absolutely necessary.
3. Appropriate analysis is provided in Security Considerations.

As a consequence, I now agree with Prateek that we should continue to
develop both the "artifact" and the "Form Post" variants of the Browser
profile. The issue of which one or both is mandatory to implement can be
discussed later.


To subscribe or unsubscribe from this elist use the subscription
manager: <

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC