[Openid-specs-ab] Request artifact

[John Bradley]

Is the randomness requirement different for the request?   I think that we can safely assume that the request can be public. 

The only randomness requirement would be to prevent an attacker from guessing it.   I think it would be better to only assume it is a reference to the request and may be used across multiple requests.

Why do you think there is a randomness requirement?

John B.


On 2010-04-28, at 10:32 AM, Nat wrote:

> John, 
> 
> I am open to call request artifact as something else, but I do not think it is a good idea to combine the request artifact and rpfurl as the randomness requirement is very different. 
> 
> =nat @ Tokyo via iPhone
> 
> On 2010/04/28, at 23:25, John Bradley <jbradley at mac.com> wrote:
> 
>> Nat,
>> 
>> One simplification to consider for 7.6 may be to combine artifact and rpfurl.
>> 
>> If the OP has returned artifact that could be:
>> Some internal refrence ID.
>> A URL pointing to some internal reference.
>> Some compressed version of the request.
>> 
>> If we think of the value as a reference to the request then the rpfurl is also a reference to the request.
>> 
>> The only difference is that one is defined by the OP and the other by the RP.
>> 
>> It may be confusing for people to have two things called artifact one for the request and one for the response.
>> 
>> The request could be renamed to something like request_refrence 
>> 
>> Some people may prefer them separate to make validation easier.
>> 
>> It is not a big thing.
>> 
>> John B.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20100428/0354c47d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20100428/0354c47d/attachment.p7s>