[WG-UMA] Spec Questions
n-sakimura at nri.co.jp
Wed Jul 14 10:27:11 EDT 2010
If you look at the OpenID Artifact Binding draft, they actually are
single "process" of creating
the URL for pull. In the "push" case, it happens to be so that the URL
is located at the
server, while in the pull case, it is located at the client.
(2010/07/14 21:57), Christian Scholz wrote:
> I've put some todo list in the specification and I think it would be
> good to have some discussions about these topics on the list. The most
> important one is IMHO if we need both, the push and pull models or if
> maybe pull is sufficient.
> So here are my pros for pull only:
> - easier to implement if only one method is there
> - URL ownership can be verified easily (except DNS issues/attacks of course)
> - we do not need to come up with a decision on when to use push and when
> to use pull or how client and server might negotiate this.
> - there is not less information transmitted than in push
> Negative is of course that in pull the client needs to implement one
> endpoint more (although static) and that this information is publically
> available. But this probably is not sensitive information.
> If we go with both models I would propose to merge them into one process
> though as they are in the end quite similar anyway.
> As a reminder, you can find them here:
> -- Christian
PLEASE READ：This e-mail is confidential and intended for the named re
cipient only. If you are not an intended recipient, please notify the
sender and delete this e-mail.
More information about the WG-UMA