OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: [Issue] DoNotCache


It has been suggested that there should be a way in SAML to specify that an
assertion is currently valid, but should not be cached for later use. This
should not depend on the particular amount of variation between clocks in
the network.

For example, a PDP may wish to indicate to a PEP that it should make a new
request for every authorization decision. For example, its policy may be
subject to change at frequent and unpredictable intervals. It would be
desirable to have a SAML specified convention for doing this. This may
interact with the position taken on clock skew. For example, if SAML takes
no position on clock skew the PDP may have to set the NotAfter value to some
time in the future to insure that it is not considered expired by the PEP. 

Potential Resolutions:

1. SAML will specify some combination of settings of the IssueInstant and
ValidityInterval to mean that the assertion should not be cached. For
example, setting all three datetime fields to the same value could be deemed
indicate this.

2. SAML will add an additional element to either Assertions or Responses to
indicate the assertion should not be cached.

3. SAML will provide no way to indicate that an Assertion should not be
cached.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC