[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SAML 2.0 clock skew - old issue, still painful
|
Hi All, I am writing for clarification on clock skew for the SAML 2.0 protocol. I have been over the Shibboleth user and dev mailing lists and there seems to be a definite consensus that the skew should be defined in the Service Provider implementation as an interpretation of the assertion, as Shibboleth and many others do. I am proposing that a recommendation be incorporated into the SAML 2.0 specification as it is in Kerberos RFC4120 (Kerberos V5). 8.2. Recommended KDC Values Following is a list of recommended values for a KDC configuration. Minimum lifetime 5 minutes Maximum renewable lifetime 1 week Maximum ticket lifetime 1 day Acceptable clock skew 5 minutes Empty addresses Allowed Proxiable, etc. Allowed A recommendation in the specification would settle some disputes as to who's job it is to interpret the assertion's conditions, specifically the NotBefore time-stamp. Thank you in advance for your consideration, - Joe --
Joseph Valerio Senior Solution Architect Yale University Shared Solution Group Information Technology Services phone: 203-432-1196 email: joseph.valerio@yale.edu smail: 25 Science Park, New Haven, CT 06511 |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]