[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Multi-participant transactional workflows
If this is correct 1. browser sends artifact 2. rp acquires assertion with subjectconf=artifact 3. rp confirms assertion using artifact It would seem that the use of subject conf.=artifact affectively precludes reuse (assuming rp's are not to accept such assertions). Is there a case where the risk inherent in reuse is acceptable to the downstream relying parties, such that it should be possible to acquire by artifact, sender vouches assertions? Ron Irving Reid wrote: > > From: Scott Cantor [mailto:cantor.2@osu.edu] > > > > > I thought the browser profile relied on the SenderVouches > > > confirmation method, and that such assertions are "bearer > > > tokens"; which means they may be used downstream of the web > > > server/servlet container. I thought it was only the artifact > > > that was single use. > > > > This is of course the main problem. In both profiles, the > > assertions are specified as short lived. Now, we've debated > > in the past what that means, but what it means to me is "not > > suitable for any non-immediate use other than SSO". If it > > means something else, I think short-lived is a bad description. > > In the browser artifact profile, the assertions are required to use > the "artifact" confirmation method rather than "SenderVouches". This > makes them useless outside the profile, no matter what their lifetime is. > > - irving - > > > > ----------------------------------------------------------------------------------------------------------------- > The information contained in this message is confidential and is intended > for the addressee(s) only. If you have received this message in error or > there are any problems please notify the originator immediately. The > unauthorised use, disclosure, copying or alteration of this message is > strictly forbidden. Baltimore Technologies plc will not be liable for > direct, special, indirect or consequential damages arising from > alteration of the > contents of this message by a third party or as a result of any virus > being > passed on. > > This footnote confirms that this email message has been swept for > Content Security threats, including > computer viruses. > > http://www.baltimore.com > > > This footnote confirms that this email message has been swept by > Baltimore MIMEsweeper for Content Security threats, including > computer viruses.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]