RE: [saml-dev] notBefore/notOnOrAfter unnecessary?

[Trevor Perrin <Tperrin@sigaba.com>]

Hi Prateek,

I realize that validity checking is crucial in the Browser/POST profile,
where the source and destination sites are not communicating in real time.
But in the Browser/Artifact profile, where the responder is responding in
real time, and is mandated to check the timeliness of the artifact himself
(584-588 of the May 31 Bindings and Profiles document), I maintain that
requiring the destination site to also make a validity period check is
unnecessary, and as we have seen, will be a common stumbling block.

If there's an attack I'm missing, I'd like to hear about it.  In any case,
it's not clear from the Bindings document whether the Conditions/NotBefore
and NotAfter elements are required, or whether the destination site is
simply required to process them if they exist.  This should at least be
clarified.  But it looks like the last call has ended, so this is all just
hypothetical..

Trevor


-----Original Message-----
From: Mishra, Prateek [mailto:pmishra@netegrity.com]
Sent: Thursday, June 20, 2002 9:13 AM
To: 'Trevor Perrin'; saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] notBefore/notOnOrAfter unnecessary?


Trevor,

This type of checking is a key part of the web browser profile. 
Please review the threat model in the bindings document. Small
changes to security protocols almost always break them.

I will publish later today a list of do's and dont's that we distilled
out from the rehearsal. I will incorporate these into a new draft of
the interOp document.

- prateek

>>-----Original Message-----
>>From: Trevor Perrin [mailto:Tperrin@sigaba.com]
>>Sent: Wednesday, June 19, 2002 7:47 PM
>>To: saml-dev@lists.oasis-open.org
>>Subject: [saml-dev] notBefore/notOnOrAfter unnecessary?
>>
>>
>>
>>A comment on the validity periods issue:  the Conditions/NotBefore and
>>Conditions/NotOnOrAfter elements are optional in the 
>>Assertions and Protocol
>>document.  The Browser/Artifact profile seems to imply they must exist
>>(lines 580-582 and 593-601 in May 31 Bindings and Profiles 
>>document), but
>>isn't really clear.
>>
>>We've seen that this validity period causes problems.  Given that the
>>responder is responding in real time, the validity period 
>>seems unnecessary
>>for this profile.  Ie, the responder is saying "this 
>>assertion is valid
>>right now", so the requester shouldn't need to do a validity 
>>period check.
>>
>>So if the committee's still taking comments, perhaps we could 
>>suggest that
>>the above lines be removed from the artifact profile, and 
>>some text inserted
>>that a validity period isn't necessary here.
>>
>>Trevor
>>
>>  
>>
>>-----Original Message-----
>>From: Don Bowen [mailto:don.bowen@sun.com]
>>Sent: Monday, June 17, 2002 5:36 PM
>>To: saml-dev@lists.oasis-open.org
>>Subject: [saml-dev] Conference call for June 18th
>>
>>
>>Here is the call information (same as last time):
>>
>>date: June 18, 2002 12-1pm EDT (11-12pm CDT / 9-10am PDT)
>>phone number: 888-422-7101
>>participant code: 551215
>>
>>Agenda:
>>
>>- Issues that have come up during the dry runs
>>  - SAML/SAMLP namespace
>>  - NotBefore time issues
>>  - Logout on each portal page
>>  - Requirements for what must be checked - spec
>>interpretation alignment
>>  - Interop between the dry runs?
>>  - Internet testing between now and Catalyst?
>>
>>- Catalyst
>>  - Status of preso about what SAML is and isn't
>>  - Check on marketing / SAML one-pager
>>  - Review press preview plans
>>  - Review/discuss attendee experience
>>  - Do we need internet connectivity? If so, Saturday only
>>or Monday also? We will probably have it.
>>  - Do we need a phone? We will probably get just one, but
>>it will essentially be a house phone only.
>>  - Should we put cell phones into spreadsheet?
>>  - Schedule for Saturday setup
>>
>>Don;
>>
>>----------------------------------------------------------------
>>To subscribe or unsubscribe from this elist use the subscription
>>manager: <http://lists.oasis-open.org/ob/adm.pl>
>>