OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Redefining artifact as binding

Before I do the work here, I'd like to get basic acceptance (or not) of my
proposal to turn the existing artifact profile into a binding for passing
messages by reference.

The most obvious change that isn't just a layering distinction is that it
means redefining what an artifact is from an assertion reference to a
protocol message reference. In most respects, this is not a big change. I
believe that most of the existing processing rules from the artifact profile
stand almost as is, although in some contexts the single-use semantics (and
possibly even the authentication requirements) could be overstated.

There are a few technical details that arise, such as whether to still
permit multiple artifacts (not clear there's a use case for this anyway),
which would require wrapping the protocol messages being dereferenced in
some kind of container. In the absence of that requirement, it was my
intention to specify that the result of an ArtifactRequest could be any
single protocol message (including another Request type). Arguably the
ambiguity around something like InResponseTo argue for some kind of
container anyway, but this isn't a major concern.

Why do this? Because it is in fact a by-reference binding for a Response in
the profile and I believe we should define it in the correct place. More
importantly, it allows the binding to be applied to any protocol, not just
SSO, and allows request messages to be passed by reference as well. There
are reasonable arguments for not passing messages in browsers (either with
POST or URL encoding), otherwise the artifact profile wouldn't have been
defined to begin with.

Secondarily, it's not much work nor a big change architecturally for
implementations, and it should reduce the SSO profiles to one simpler
profile that should apply equally to any client that wants to get a simple

Are there objections to this proposal?

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]