[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] Suggest adding IssueInstant attribute toRequest and Response
> The counter argument would be that this would require the > services and clients to have access to trusted time. The counter-counter is that if you don't already, you have bigger problems than this. I assumed that was a given (see the POST browser profile, for example). My feeling is either require the transport layer to prevent replay, or do it in SAML, but don't open the door to replay attacks by ignoring it. > At the very least we need to create new error codes > > RequestTimeOut > RequestInFuture These would be subcodes underneath Sender (or Requester), in my proposal's parlance. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC