[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [saml-dev] notBefore/notOnOrAfter unnecessary?
> I realize that validity checking is crucial in the > Browser/POST profile, where the source and destination sites > are not communicating in real time. No, it's actually not. The Response in that case contains an IssueInstant and is signed, so you can just enforce a maximum elapsed time against that value. The significance of bounding the assertion is about the same as in the artifact case, and would seem to be intended more as a constraint on the use of the assertion, rather than as protection against some kind of attack. I argued, fairly weakly, against requiring short-lived assertions in the POST case, but I didn't waste a lot of breath on it. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC