OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] List of possible implementation features for SAML 2.0

John, this was discussed at the F2F and I am reasonably comfortable with the
current state of the binding. I don't think it needs to be exposed at the
conformance level, it is not really a choice point for implementers (maybe
for deployers). 

I have been concerned about the issue of burying a number of choices within
bindings and the implementation cost of the same. However, in this case, I
understand that the implementation cost is modest: you have a single
"artifact consumer" URL which either finds the artifact on the URL line or
in the POST body. Using POST for artifact delivery mitigates the "referrer"
issue identified by Thomas Gross.

In fact, here is a different position altogether: remove the GET part
completely and retain only the POST delivery method. This limits the
implementations to just one form and avoids the "referrer" issue.


-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Wednesday, June 30, 2004 6:17 PM
To: 'John Hughes'; Mishra, Prateek
Cc: security-services@lists.oasis-open.org
Subject: RE: [security-services] List of possible implementation features
for SAML 2.0

> this may add perhaps too much detail - but do you want to capture the fact
> that the HTTP Artifact binding can use HTML forms or URL encoding to
> transport the artifact (albeit that conformant implementation for this
> binding MUST implement both)

It was my hope we'd just bury that inside the binding and not have to call
it out in conformance. Given the choice between that and having to make
things even more complex there, I'd actually be in favor of just backing off
to GET.

I just think allowing POST is a good nod toward security without costing us
much in complexity.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]