OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] IDP clock skew issue

On 4/7/14, 12:26 PM, "Vasu Y" <vyal2k@yahoo.com> wrote:

>I need your advise on the following regarding clock skew:
>1) Should we also add the clock skew to SP's clock before checking
>"NotOnAfter" conditions or is not needed in this case (because NotOnAfter
>will occur couple after a couple of minutes of NotBefore)?

You need skew any time you check a timestamp, in either direction.

>2) If there is a case where the IDP clock could be slower, should we
>subtract clock skew from SP's clock before doing NotBefore and NotOnAfter
>validations? I have not seen people complaining about this issue.

I don't understand what that means. Skew is applied in the direction of
comparison of the test, so if it's a check for NotOnOrAfter, you substract
skew from the current time, and if you check NotBefore, you add to it. You
err in the direction of validity.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]