Will Norris wrote:
Just curious, but why are we stressing too much on the attribute name length?
I understand we want to keep the message smaller if possible, but isn't that
what the artifact profile is going to be for? Won't this be a moot point then?
We have problems today where the response exceeds 2KB, forcing the OP to
return the response via POST, or else risk having the response truncated
by either the user's browser or an intermediate proxy server.
From a UX perspective, returning the response via POST is really
unacceptable. If the OP supports HTTPS, but the RP does not, returning
the response via POST will display a browser security warning. POST
responses also introduce additional browser latency since the response
has to be autosubmitted via JS. Almost all RPs that I know of do not
support HTTPS.
The 2KB limit first started to be an issue during the Government GSA
testing, since PAPE combined with AX can make for really sizable
responses. The Government RPs also tended to have very long return_to
URLs, making the problem worse.
Artifact Binding can potentially solve this issue, however I believe
that the community will benefit by having a compact AX. I do know of RPs
which have tried AX, and then have reverted back to SREG because of the
POST issues.
Thanks
Allen
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
