[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] IDP clock skew issue
On 4/7/14, 12:26 PM, "Vasu Y" <vyal2k@yahoo.com> wrote: >I need your advise on the following regarding clock skew: >1) Should we also add the clock skew to SP's clock before checking >"NotOnAfter" conditions or is not needed in this case (because NotOnAfter >will occur couple after a couple of minutes of NotBefore)? You need skew any time you check a timestamp, in either direction. >2) If there is a case where the IDP clock could be slower, should we >subtract clock skew from SP's clock before doing NotBefore and NotOnAfter >validations? I have not seen people complaining about this issue. I don't understand what that means. Skew is applied in the direction of comparison of the test, so if it's a check for NotOnOrAfter, you substract skew from the current time, and if you check NotBefore, you add to it. You err in the direction of validity. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]