RE: [imi] SAML 2.0 profile and NotBefore

["Scott Cantor" <cantor.2@osu.edu>]

Mike Jones wrote on 2009-12-14:
> In working on the 1.1 profile, this question came up about the 2.0
profile.
> It currently says "The <saml:SubjectConfirmationData> element, if present,
> MUST NOT contain a NotBefore or Recipient XML attribute."  Why is the use
of
> NotBefore prohibited?

Just for consistency with the other known bearer assertion profile (SAML
SSO).

> I'll note that its use is required in the self-issued token profile. 
> I'm thinking that, for that reason, I should at least allow its use in
> 1.1 tokens.

1.1 doesn't have this field, it only has the Conditions attribute (which 2.0
also has). They're different in meaning. The Conditions attribute covers
assertion validity overall and the confirmation data attribute is about
limiting the ability to confirm as a bearer.

With 1.1, bearer assertions tend to be short lived (in the Conditions
sense), which limits the ability to repurpose them downstream (e.g., web
services).

2.0 assertion lifetime doesn't have to be (and should generally not be) tied
to confirmation wibndow.

-- Scott