[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [saml-dev] notBefore/notOnOrAfter unnecessary?
Scott, >> >>Not to any degree that isn't already in place by enforcing an upper >>bound on the difference between "Now" and >>Response/@IssueInstant. Agreed, this is an alternative mechanism. The point is that *some* mechanism is required. Notice that your proposal makes this as something to be resolved entirely by the relying party. Some would argue that it is preferable to have the issuer control this "upper bound". This is what the current proposal does. - prateek There >>isn't anything else gained by bounding the assertion inside the >>response, in either the artifact or the POST case. >> >>The historical issue is that with POST, a response wasn't used >>originally, so the only way to bound the thing was with a Condition. >>This was a bad idea, but when the response was added to that profile, >>the use of the condition was kept even though it's superfluous. >> >>> The real issue here is clock synchronization. We expect >>> system clocks to be somewhat synchronized. But SAML >>> authorities and consumers need to cope with the possible >>> differences in clock settings. This leads to the difficulties >>> that Trevor points to. >> >>Sure, clock skew is an issue with either approach. >> >>-- Scott >>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC