OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] List of possible implementation features for SAML 2.0

Prateek,

I've no strong feelings on the matter.  Would be comfortable with either,
just GET or just POST


John

PS perhaps I should have come to the F2F!

> -----Original Message-----
> From: Mishra, Prateek [mailto:pmishra@netegrity.com]
> Sent: 01 July 2004 14:55
> To: Scott Cantor; 'John Hughes'
> Cc: security-services@lists.oasis-open.org
> Subject: RE: [security-services] List of possible implementation
> features for SAML 2.0
>
>
> John, this was discussed at the F2F and I am reasonably
> comfortable with the
> current state of the binding. I don't think it needs to be exposed at the
> conformance level, it is not really a choice point for implementers (maybe
> for deployers).
>
> I have been concerned about the issue of burying a number of
> choices within
> bindings and the implementation cost of the same. However, in this case, I
> understand that the implementation cost is modest: you have a single
> "artifact consumer" URL which either finds the artifact on the URL line or
> in the POST body. Using POST for artifact delivery mitigates the
> "referrer"
> issue identified by Thomas Gross.
>
> In fact, here is a different position altogether: remove the GET part
> completely and retain only the POST delivery method. This limits the
> implementations to just one form and avoids the "referrer" issue.
>
> Comments?
>
> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Wednesday, June 30, 2004 6:17 PM
> To: 'John Hughes'; Mishra, Prateek
> Cc: security-services@lists.oasis-open.org
> Subject: RE: [security-services] List of possible implementation features
> for SAML 2.0
>
> > this may add perhaps too much detail - but do you want to
> capture the fact
> > that the HTTP Artifact binding can use HTML forms or URL encoding to
> > transport the artifact (albeit that conformant implementation for this
> > binding MUST implement both)
>
> It was my hope we'd just bury that inside the binding and not have to call
> it out in conformance. Given the choice between that and having to make
> things even more complex there, I'd actually be in favor of just
> backing off
> to GET.
>
> I just think allowing POST is a good nod toward security without
> costing us
> much in complexity.
>
> -- Scott
>
>
>
> To unsubscribe from this mailing list (and be removed from the
> roster of the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave
_workgroup.php.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]