AX and Artifact Binding Charter Proposal
Allen Tom
atom at yahoo-inc.com
Wed Nov 18 02:37:41 UTC 2009
Will Norris wrote:
> Just curious, but why are we stressing too much on the attribute name length? I understand we want to keep the message smaller if possible, but isn't that what the artifact profile is going to be for? Won't this be a moot point then?
>
We have problems today where the response exceeds 2KB, forcing the OP to
return the response via POST, or else risk having the response truncated
by either the user's browser or an intermediate proxy server.
From a UX perspective, returning the response via POST is really
unacceptable. If the OP supports HTTPS, but the RP does not, returning
the response via POST will display a browser security warning. POST
responses also introduce additional browser latency since the response
has to be autosubmitted via JS. Almost all RPs that I know of do not
support HTTPS.
The 2KB limit first started to be an issue during the Government GSA
testing, since PAPE combined with AX can make for really sizable
responses. The Government RPs also tended to have very long return_to
URLs, making the problem worse.
Artifact Binding can potentially solve this issue, however I believe
that the community will benefit by having a compact AX. I do know of RPs
which have tried AX, and then have reverted back to SREG because of the
POST issues.
Thanks
Allen
More information about the specs
mailing list