OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] the value of AuthnInstant


> Consumption of AuthnInstant is a matter of policy at the SP, yes, but
> an IdP that produces an incorrect value is at least non-interoperable
> and may be broken depending on your point of view.

And my point is that in contrast to some of the other opinions, I don't
believe there is any such thing as a "correct" value. I think it's
deployment-specific.

To use one perhaps contrived example, using a certificate is prone to
caching a user's PIN. So what's the right timestamp? The last time they
entered a PIN? Or every time the key is silently reused?
 
> For instance, consider an IdP that routinely sets IssueInstant and
> AuthnInstant to the same value (NOW).  Is this implementation broken?

Not IMHO. It certainly doesn't violate the spec as it stands now, at least
in core.

One reason I'd be against changing this is that I don't think it would help.
Knowing that it's illegal to do something doesn't help an SP when the IdP
gets it wrong, and I think a lot would get it wrong. I think it's better to
be clear that the SP should do its homework before relying on the value.

-- Scott




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]