OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] RE: draft-sstc-session-management-01

Mike,

Thanks for the comment. See comments inline:

On Thursday, Oct 2, 2003, at 09:47 Australia/Sydney, Beach, Michael C wrote:

John,

Section 3, Requirements, item 8 states "...the session authority should have control over this [timeout periods]...".

It would seem that the ultimate authority for timeouts would be controlled by the service provider.  The service provider owns the resources and should have final say in the applicable security policies to be applied.

I'd say that this is one possibility, but in the local case, I had imagined that the SP could also *be* the session authority (ie. that the SP always can delegate responsibility for session mgmt to a session authority, but the SP and the SA may be co-located or the same entity) If the session were only for that service (ie. not a shared session) then it seems likely that the authority will be the SP, or at the least, the SP and the SA will agree on a timeout period. If the session is a *shared* session, then the session authority may not be located at the SP, and will potentially have timeout responsibility for other service providers, and should thus (IMO) be the "timeout authority".

Second in authority might be the session authority, and lastly the user.  However, a session authority should be able to specify shorter timeout periods than those dictated by the service provider, but not longer.  Similar restraints would apply to the user specifying timeout periods -- shorter, but not longer than either the session authority or the service provider.

I think your comment regarding user specification of the timeout period is a reasonable suggestion - I'd like to add that to the doc.

Ultimately I believe the session authority should be "most responsible" for the timeout. But, what I'm really trying to do is specify the notion of a session authority separately from both an SP and an authentication authority for ease of abstraction. But I think these things will interact, and realistically may be closely tied, rather than as loosely as it appears from reading my doc.

Cheers,

- JohnK

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]