RE: [saml-dev] Introduction & Question about the "heaviness" of S AML

[John Herendeen <john.herendeen@entegrity.com>]

Title: RE: [saml-dev] Introduction & Question about the "heaviness" of S AML

for interop, we agreed it should be valid from 5 minutes before the current time at the source site until 10 minutes after the current time at the source site

this allows a 5 minute window, and allows for A 5 minute clock skew (between stes) in either doirection

the source site sets the validity period but the destination site can choose it's own period during which it will honor the assertion

again, the spec on says you can set a validity period,
but how you use it is up to you

jh

-----Original Message-----
From: Neil Gehani [mailto:ngehani@us.checkpoint.com]
Sent: Wednesday, November 13, 2002 11:05 AM
To: 'Scott Cantor'; 'John Herendeen'; 'Adam Theo'; 'Mark Wilcox'
Cc: saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] Introduction & Question about the "heaviness" of
S AML

So we are relying on the application to set the limit for each assertion
sent? When you say "relying site" which one do you mean? Sender or
receiver? Is there a default timeout that can be configured?

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: Wednesday, November 13, 2002 7:50 AM
To: ngehani@us.checkpoint.com; 'John Herendeen'; 'Adam Theo'; 'Mark
Wilcox'
Cc: saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] Introduction & Question about the "heaviness" of
S AML

>Are the minutes configurable?

It's more or less unspecified. "Long enough to get it from site A to B,
short enough to limit the danger." A relying site has its own policy on
how long a SSO assertion should be valid.

-- Scott

----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>