Re: [security-services] destination-side enforcement of one-time artifactuse

["Conor P. Cahill" <concahill@aol.com>]

Mishra, Prateek wrote on 9/10/2004, 3:56 PM:

 > The service provider MUST ensure that an artifact value is not replayed.
 > This may be achieved by maintaining a table of artifact values. Artifact
 > values need only be entered into the table for the period of time during
 > which the corresponding assertion (i.e., assertion obtained by
 > dereferencing
 > the artifact) is valid.

This seems like an implementation detail rather than a requirement.
I can see how this can be done without any such tables.  For
example, the destination could maintain a table of acceptable
artifacts and when one is presented, the artifact is removed
from the table.  Note also that the artifact generator could
be either end of the communications path.

So my suggestion would be along the lines of:

The generator of an artifact MUST ensure that that artifact
is only dereferenced once.  Subsequent attempts to dereference
the same artifact MUST be refused.

We probably should add someting about this being a hint that
there is a substantial security problem in process when this
is detected and I would consider recommending that the
generator take steps to undo the operations of the initially
successful dereference when a subseqent dereference is
detected (such as initiating an SLO operation to the
destination provider).

Conor