OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] sstc-bindings-extensions-02

>I have added a GET-oriented flow from the destination site to the source
>site. It follows Scott's POST-based flows very closely; for some required
>values I have chosen fixed-size strings in place of the unbounded strings
>used in the POST case. Other than that, the two flows are quite similar.

I like the notion of essentially divorcing these two flows from each other and basically not trying to directly map all of the XML
in <Request> to a URL, which I think is a losing proposition.

General comments:

Since the query string is entirely defined by this profile, I suggest saving space by reducing the size of the parameter names,
particularly dropping the SAML prefix in each case (no, it's not much, but it's of zero-processing value).

Doesn't base64 generally inflate the size of what it encodes? I would think straight URL encoding of the data per usual practice
would make more sense in most cases.

Some of the length limitations seem a little tight, particularly the RequestID. I would imagine I'm not the only one who would have
implemented their IDs as UUIDs, which are more than 20 bytes. I could special case this ID, but in general, I think we can relax
some of these limits and still end up in fairly good shape, length-wise.

I would prefer somewhat less hashing of URIs and things, and more SHOULDs about length.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]