On Nov 17, 2009, at 6:37 PM, Allen Tom wrote: > Will Norris wrote: >> Just curious, but why are we stressing too much on the attribute name >> length? I understand we want to keep the message smaller if possible, but >> isn't that what the artifact profile is going to be for? Won't this be a >> moot point then? >> > We have problems today where the response exceeds 2KB, forcing the OP to > return the response via POST, or else risk having the response truncated by > either the user's browser or an intermediate proxy server. > > From a UX perspective, returning the response via POST is really > unacceptable. If the OP supports HTTPS, but the RP does not, returning the > response via POST will display a browser security warning. POST responses > also introduce additional browser latency since the response has to be > autosubmitted via JS. Almost all RPs that I know of do not support HTTPS. > > The 2KB limit first started to be an issue during the Government GSA testing, > since PAPE combined with AX can make for really sizable responses. The > Government RPs also tended to have very long return_to URLs, making the > problem worse. > > Artifact Binding can potentially solve this issue, however I believe that the > community will benefit by having a compact AX. I do know of RPs which have > tried AX, and then have reverted back to SREG because of the POST issues.
fair enough. Really, the attribute names are effectively opaque anyway, so it doesn't really matter. We even went so far in the Shibboleth community as to start recommending[0] URN-based OIDs for attributes (ie. "urn:oid:1.3.6.1.4.1.5923.1.1.1.10"). I'd have more hesitation around changing the datatype from URIs to simple strings, since I think that would potentially cause much more confusion. -will [0]: http://middleware.internet2.edu/dir/docs/internet2-mace-dir-saml-attributes-200604.pdf _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
