[Openid-specs-ab] Request artifact

Nat sakimura at gmail.com
Thu Apr 29 06:23:26 UTC 2010



On 2010/04/29, at 0:48, John Bradley <jbradley at mac.com> wrote:

> Is the randomness requirement different for the request?   I think  
> that we can safely assume that the request can be public.

I am not so sure about it. For a static request, it is safe to assume  
that it is a public request. However, for a dynamic request, there are  
chances that's request contains personalized data, which may be  
revealed at the OP.

Under such circumstances, it may be wise to use a randomized reference  
to the request, IMHO.

>
>
> The only randomness requirement would be to prevent an attacker from  
> guessing it.   I think it would be better to only assume it is a  
> reference to the request and may be used across multiple requests.
>
> Why do you think there is a randomness requirement?
>
> John B.
>
>
> On 2010-04-28, at 10:32 AM, Nat wrote:
>
>> John,
>>
>> I am open to call request artifact as something else, but I do not  
>> think it is a good idea to combine the request artifact and rpfurl  
>> as the randomness requirement is very different.
>>
>> =nat @ Tokyo via iPhone
>>
>> On 2010/04/28, at 23:25, John Bradley <jbradley at mac.com> wrote:
>>
>>> Nat,
>>>
>>> One simplification to consider for 7.6 may be to combine artifact  
>>> and rpfurl.
>>>
>>> If the OP has returned artifact that could be:
>>> Some internal refrence ID.
>>> A URL pointing to some internal reference.
>>> Some compressed version of the request.
>>>
>>> If we think of the value as a reference to the request then the  
>>> rpfurl is also a reference to the request.
>>>
>>> The only difference is that one is defined by the OP and the other  
>>> by the RP.
>>>
>>> It may be confusing for people to have two things called artifact  
>>> one for the request and one for the response.
>>>
>>> The request could be renamed to something like request_refrence
>>>
>>> Some people may prefer them separate to make validation easier.
>>>
>>> It is not a big thing.
>>>
>>> John B.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20100429/8203e3e5/attachment.htm>


More information about the Openid-specs-ab mailing list