[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [saml-dev] notBefore/notOnOrAfter unnecessary?
> I agree that these fields could be eliminated but with a > definite increase in risk for assertion issuer. The > "constraint on the use of assertion" helps narrow the time window in > which this type of attack could take place. Not to any degree that isn't already in place by enforcing an upper bound on the difference between "Now" and Response/@IssueInstant. There isn't anything else gained by bounding the assertion inside the response, in either the artifact or the POST case. The historical issue is that with POST, a response wasn't used originally, so the only way to bound the thing was with a Condition. This was a bad idea, but when the response was added to that profile, the use of the condition was kept even though it's superfluous. > The real issue here is clock synchronization. We expect > system clocks to be somewhat synchronized. But SAML > authorities and consumers need to cope with the possible > differences in clock settings. This leads to the difficulties > that Trevor points to. Sure, clock skew is an issue with either approach. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC