[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] the value of AuthnInstant
> Consumption of AuthnInstant is a matter of policy at the SP, yes, but > an IdP that produces an incorrect value is at least non-interoperable > and may be broken depending on your point of view. And my point is that in contrast to some of the other opinions, I don't believe there is any such thing as a "correct" value. I think it's deployment-specific. To use one perhaps contrived example, using a certificate is prone to caching a user's PIN. So what's the right timestamp? The last time they entered a PIN? Or every time the key is silently reused? > For instance, consider an IdP that routinely sets IssueInstant and > AuthnInstant to the same value (NOW). Is this implementation broken? Not IMHO. It certainly doesn't violate the spec as it stands now, at least in core. One reason I'd be against changing this is that I don't think it would help. Knowing that it's illegal to do something doesn't help an SP when the IdP gets it wrong, and I think a lot would get it wrong. I think it's better to be clear that the SP should do its homework before relying on the value. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]