[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Multi-participant transactional workflows
> I thought the browser profile relied on the SenderVouches > confirmation method, and that such assertions are "bearer > tokens"; which means they may be used downstream of the web > server/servlet container. I thought it was only the artifact > that was single use. This is of course the main problem. In both profiles, the assertions are specified as short lived. Now, we've debated in the past what that means, but what it means to me is "not suitable for any non-immediate use other than SSO". If it means something else, I think short-lived is a bad description. I haven't thought about artifact nearly as much, but with POST, it's quite evident to me that making the assertion short lived is pointless. It prevents a useful subsequent application of the assertion, without adding any security, since we intentionally fixed the profile (after Liberty branched off with it, of course) to use the Response as the signed, time limited envelope that provides the security in the profile. This was the primary issue I mentioned briefly on the call as something I think ought to be changed. As I said, I don't know about artifact. It seems on the surface like a similar possibility, but there might be other issues involved because of the indirection in the profile. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]