OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: Bindings Committee Recommendation: SAML HTTP Binding should be mandatory-to-implement

Since I initially brought up the potential IPR concerns, here's an update 
on my thoughts on this matter now that I've talked to some folks around 
here.  Essentially, SOAP doesn't currently seem any more risky to use than 
the alternatives when it comes to encumbrances.  If a patent that's 
specific to SOAP (but not other XML over a transport) suddenly get 
disclosed and requires royalty payments, it won't be pretty for the patent 
holder!  -- and we can deal with it then.

A few other notes below:

At 09:48 PM 10/8/01 -0400, Mishra, Prateek wrote:
>Which SAML binding should be mandatory-to-implement?
>(a) HTTP
>(b) SOAP over HTTP with no intermediaries
>The argument for (a) include the following:
>(i) SOAP 1.1 IPR is encumbered

The point made in (b)(iv) below suggests that this worry doesn't away if 
other choices are made.

>(ii) The results of the XMLP effort (SOAP 1.2) may look quite
>different from SOAP 1.1 (XMLP will be ready in Q1/02)

I checked with Chris Ferris, one of the folks heavily involved in the SOAP 
1.2 work, and his response was: 'SOAP1.2 won't be radically different from 
SOAP1.1. It is largely unchanged except for namespace, elimination of 
"trailers" and there is likely to be a more XML Schema-aligned "encoding" 
which shouldn't impact SAML ....'  He offered to review this binding again 
to look for gotchas with respect to future SOAP 1.2 changes.

>(iii) other than marketing issues, we do not gain much by utilizing
>SOAP at this point
>(iv) "raw" HTTP provides a firmer foundation for our work; notice
>that a mandatory-to-implement binding is an additional layer in
>the SAML protocol stack.
>Arguments for (b) include:
>(i) SOAP provides a reasonable packaging structure, at least in
>the case of SOAP over HTTP
>(ii) SOAP offers a message-level error processing model
>(iii) The two alternatives are essentially the same but choosing
>SOAP over HTTP offers SAML, better marketing buzz.
>(iv) There may be patents lurking for any generic XML messaging
>framework; even if we choose (a) we may find that patents apply.

Eve Maler                                    +1 781 442 3190
Sun Microsystems XML Technology Center   eve.maler @ sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC