OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [security-services] the "NotOnOrAfter" issue


Phill,

> To put it another way, Steve has a problem because X.509 is confused and
> broken.

Nope. I've a problem with what I see as gratuitous "improvement". As you 
point out, getting X.509 implementations to do the right/same thing with
time values did take a long time (though not for the reason you mentioned, 
it was mostly to do with DER and the inclusion, or not, of "00" seconds 
values). I'd rather not revisit all that type of thing again, (which we may 
if we change the semantics as proposed), just for the sake of "purity". 

However, I should point out that I think this isn't the worst thing 
about the handling of time in the -25 spec: the lack of direction on 
timezones, fractional seconds and comparisons is IMO *much* worse. This
is just the icing on the cake. (BTW: even if there's some other xml 
spec that does include all the relevant rules, I'd argue to copy those
that we want applied into the saml core in any case.)

> The problem with the X.509 approach is that it requires a very peculiar
> interpretation of the NotAfter time. Say we have 23:59:59, we have to
> consider the cert valid on 23:59:59.00 which is expected but also
> 23:59:59.01 which is not.

Sorry, but I'd expect this, given that in X.509/2459 notAfter is quite
clearly declared to have a granularity of exactly one second. There is no 
choice about that so there is no ambiguity (if you think there is, then 
send a post to the pkix list & have a nice long discussion there:-).

So, given that X.509 related time values are, by definition, in seconds,
the two schemes are then:

SAML
         if ( NotBefore <= time AND time < NotOnOrAfter)

X.509
         if ( notBefore <= time AND time <= notAfter)

How many programmers are going get the inclusion/exclusion of that 2nd
"=" sign wrong? That's what I care about.

Stephen.

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@baltimore.ie
Ireland                             http://www.baltimore.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC