OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: RE: [saml-dev] notBefore/notOnOrAfter unnecessary?


> I realize that validity checking is crucial in the 
> Browser/POST profile, where the source and destination sites 
> are not communicating in real time.

No, it's actually not. The Response in that case contains an
IssueInstant and is signed, so you can just enforce a maximum elapsed
time against that value. The significance of bounding the assertion is
about the same as in the artifact case, and would seem to be intended
more as a constraint on the use of the assertion, rather than as
protection against some kind of attack.

I argued, fairly weakly, against requiring short-lived assertions in the
POST case, but I didn't waste a lot of breath on it.

-- Scott



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC