bare request or response

Dick Hardt dick at
Thu Sep 28 02:04:14 UTC 2006

On 26-Sep-06, at 10:30 AM, Kevin Turner wrote:

> On Mon, 2006-09-25 at 14:24 -0700, Dick Hardt wrote:
>> 2) fetching signed claims (part of attribute exchange)
> [...]
>> 	IdP sends a fetch response to Issuer containing any attributes
>> required by Issuer, and also user identifier
>> 		* there was no preceding fetch request
>> 	Issuer sends a store request to IdP with Claim
>> 		* there is no matching store response
> I guess you could do it that way, but it seems quite peculiar.  Why  
> are
> you turning things inside-out in this exchange?  Why "response, store"
> rather than "fetch, respond"?

A fetch does not move identity data or prove the IdP is authoritative  
for the URL.

A respond message is signed by the IdP, which the Issuer cannot do.

In some scenarios, there may be a disconnect between the fetch- 
response and the store-request, and there are use cases where they  
make sense all by themselves (ie, logging into a site from the IdP)

We could create new messages, but I think the existing ones can be  
used pretty much as is and be bare messages.

Other thoughts?

-- Dick

More information about the specs mailing list