[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Comments on Core 13 & Profiles 08 aroundSubjectConfirmationData
>> 1) a subject confirm themselves to an assertion that is not >> yet valid? >> 2) a subject confirm themselves to an assertion that was >> valid but has since expired? > >I'll defer to other opinions, but my take was to say nothing >and view them >as independent issues. It seems unlikely that any use case for >confirming >outside of the assertion validity period exists, but I didn't >see a strong >need to call this out. There may not be a use case but it could happen nonetheless - subject confirms through a signature, this performed before the start of the validity period (either because of clock skew or maybe because the IDP, when creating the assertion, set the NotBefore to be some time in the future) > >The SSO profile needs to explicitly note that "the assertion >MUST be valid", >and "the bearer MUST be able to satisfy the confirmation method", which >includes the time window... yes, but do we need to say that there must be a point at which these requirements can be met simultaneously? > >Other opinions? > >-- Scott >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]