OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] proposed change to POST profile: send Response instead of Assertion

Just to be real clear here:

(1) Bob has proposed a small change to some of the structures
used in the FORM post profile. The proposed change has the
following impacts:


Section to be removed from Assertions and added to
Section 3.4.2 (Response). For symmetry we may also want to
add this to Section 3.2.2 (Request).

(b) Text in the Browser/POST profile needs to be respun to reflect this
change. Bob M. will take a first crack at the revised text and I will edit
and include in the final bindings draft.

(2) This has no relationship to the HTTP *binding*.

(3) I think we can delay this change till after last call as it has no
foundational impact at the core or binding level.

- prateek

>>-----Original Message-----
>>From: Scott Cantor [mailto:cantor.2@osu.edu]
>>Sent: Wednesday, January 30, 2002 10:57 AM
>>To: 'Eve L. Maler'
>>Cc: security-services@lists.oasis-open.org
>>Subject: RE: [security-services] proposed change to POST profile: send
>>Response instead of Assertion
>>> > If everyone else is convinced, I guess I am.  *If* everyone else 
>>> > convinced?  Could an HTTP binding be made dead-simple enough to 
>>> > "happen" to carry a SAML request or response?  If so, why 
>>didn't we 
>>> > include it in SAML 1.0?
>>I strongly favored HTTP (the SOAP layer, which is soon to be a legacy
>>version of SOAP, adds work for implementers and clear overhead at
>>runtime with no benefits that I'm seeing), but I also agree 
>>with having
>>one mandatory well-defined binding rather than two, so there 
>>wasn't any
>>point in pushing its inclusion.
>>But the POST profile (even this proposed version of it) 
>>really isn't an
>>HTTP binding, though I guess it has some similarities. For 
>>one thing, it
>>puts a SAML Response in the HTTP request, which is backward from the
>>HTTP binding. It's also a multi-hop profile with the browser in the
>>middle, so you have to worry about MITM and such.
>>The real way to think about the proposed change is as a schema cleanup
>>suggestion that gets a confusing element out of Assertion and 
>>aligns the
>>POST profile better with the other one.
>>-- Scott
>>To subscribe or unsubscribe from this elist use the subscription
>>manager: <http://lists.oasis-open.org/ob/adm.pl>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC