<HTML><HEAD></HEAD>
<BODY>
<DIV id=idOWAReplyText77805 dir=ltr>
<DIV dir=ltr><FONT color=#000000>When a SAML redirect or artifact binding occurs in the ping-pong handshakes between a chain of 5 of those types of websso servers, do the 10 redirects each refer to resources?</FONT></DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>Not in the static-resource publishing sense, anyways!</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>ok ok, a "resource" in semweb-land is a generic. Thus, even a temporary protocol state in a chaining/proxying server can be a "resource" subject to HTTP semantics or RDF description.</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>But are we really suggesting that a claimed identifier returned from OpenID discovery might really be such as: a redirect bearing an encoded SAMLRequest, along with it a digital signature (per the SAML REDIRECT binding onto bearers)?</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>Surely not. That use of HTTP 302's by SAML leverages the notion of "temporay artifact", where the artifact is really not designed to be interpreted as a resource. While an artifact is infact a resource formally, its only so in the mind of the SAML protocol entities that have imposed this interpretation model.</DIV>
<DIV dir=ltr> </DIV>
<DIV dir=ltr>Now, SAML as a spec has no known issue with either semweb or HTTP semantics, note. Perhaps, openid ought to use "artifact" notions and terminology too - to maintain semantic consistency with the rest of the ever-evolving web infrastructure.</DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Drummond Reed<BR><B>Sent:</B> Wed 3/5/2008 9:32 AM<BR><B>To:</B> 'Noah Slater'<BR><B>Cc:</B> david@sixapart.com; general@openid.net<BR><B>Subject:</B> Re: [OpenID] Calling OpenID 2.0 editors (was RE: Problems withOpenID and TAG httpRange-14)<BR></FONT><BR></DIV>
<DIV><PRE style="WORD-WRAP: break-word">> -----Original Message-----
> From: Noah Slater [mailto:nslater@bytesexual.org]
> Sent: Wednesday, March 05, 2008 6:01 AM
> To: Drummond Reed
> Cc: 'Eddy Nigg (StartCom Ltd.)'; 'John Panzer'; david@sixapart.com;
> general@openid.net
> Subject: Re: [OpenID] Calling OpenID 2.0 editors (was RE: Problems
> withOpenID and TAG httpRange-14)
>
> On Tue, Mar 04, 2008 at 07:55:41PM -0800, Drummond Reed wrote:
> > I'm not an OpenID editor but I remember that there was a great deal of
> > discussion around this and there was a good reason (security as I
> recall)
> > that the final redirect needed to be treated as the claimed identifier.
>
> I would love to hear this reasoning because it makes no sense to me at the
> moment.
Editors, hellooo-ooo-ooo?
> > 3) From a SemWeb standpoint, I believe the right answer is that ALL the
> > identifiers in the chain - the original identifier, all redirects, and
> any
> > "override" back from the OP - should all be considered synonyms for the
> > identified resource. In other words, rdf:sameAs statements.
>
> This is incorrect. 303 redirects do not imply rdf:sameAs.
Noah, it would helpful to me to understand why this is so. Are they not all
identifiers of the same resource? Isn't that what a redirect means? Or are
you saying that the fact they are identifiers that resolve to a resource
does not make them RDF statements?
=Drummond
_______________________________________________
general mailing list
general@openid.net
http://openid.net/mailman/listinfo/general
</PRE></DIV></BODY></HTML>