OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] proposed change to POST profile: send Response instead of Assertion

Just to be real clear here:

(1) Bob has proposed a small change to some of the structures
used in the FORM post profile. The proposed change has the
following impacts:

(a)

Section 2.3.3.1.4 to be removed from Assertions and added to
Section 3.4.2 (Response). For symmetry we may also want to
add this to Section 3.2.2 (Request).

(b) Text in the Browser/POST profile needs to be respun to reflect this
change. Bob M. will take a first crack at the revised text and I will edit
and include in the final bindings draft.


(2) This has no relationship to the HTTP *binding*.


(3) I think we can delay this change till after last call as it has no
foundational impact at the core or binding level.


- prateek


>>-----Original Message-----
>>From: Scott Cantor [mailto:cantor.2@osu.edu]
>>Sent: Wednesday, January 30, 2002 10:57 AM
>>To: 'Eve L. Maler'
>>Cc: security-services@lists.oasis-open.org
>>Subject: RE: [security-services] proposed change to POST profile: send
>>Response instead of Assertion
>>
>>
>>> > If everyone else is convinced, I guess I am.  *If* everyone else 
>>> > convinced?  Could an HTTP binding be made dead-simple enough to 
>>> > "happen" to carry a SAML request or response?  If so, why 
>>didn't we 
>>> > include it in SAML 1.0?
>>
>>I strongly favored HTTP (the SOAP layer, which is soon to be a legacy
>>version of SOAP, adds work for implementers and clear overhead at
>>runtime with no benefits that I'm seeing), but I also agree 
>>with having
>>one mandatory well-defined binding rather than two, so there 
>>wasn't any
>>point in pushing its inclusion.
>>
>>But the POST profile (even this proposed version of it) 
>>really isn't an
>>HTTP binding, though I guess it has some similarities. For 
>>one thing, it
>>puts a SAML Response in the HTTP request, which is backward from the
>>HTTP binding. It's also a multi-hop profile with the browser in the
>>middle, so you have to worry about MITM and such.
>>
>>The real way to think about the proposed change is as a schema cleanup
>>suggestion that gets a confusing element out of Assertion and 
>>aligns the
>>POST profile better with the other one.
>>
>>-- Scott
>>
>>
>>----------------------------------------------------------------
>>To subscribe or unsubscribe from this elist use the subscription
>>manager: <http://lists.oasis-open.org/ob/adm.pl>
>>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC