I thought the browser profile relied on the SenderVouches
confirmation method, and that such assertions are "bearer
tokens"; which means they may be used downstream of the web
server/servlet container. I thought it was only the artifact
that was single use.
This is of course the main problem. In both profiles, the assertions are
specified as short lived. Now, we've debated in the past what that means,
but what it means to me is "not suitable for any non-immediate use other
than SSO". If it means something else, I think short-lived is a bad
I haven't thought about artifact nearly as much, but with POST, it's quite
evident to me that making the assertion short lived is pointless. It
prevents a useful subsequent application of the assertion, without adding
any security, since we intentionally fixed the profile (after Liberty
branched off with it, of course) to use the Response as the signed, time
limited envelope that provides the security in the profile.
This was the primary issue I mentioned briefly on the call as something I
think ought to be changed.
As I said, I don't know about artifact. It seems on the surface like a
similar possibility, but there might be other issues involved because of the
indirection in the profile.