OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SAML 2.0 clock skew - old issue, still painful

Hi All,

I am writing for clarification on clock skew for the SAML 2.0 protocol.  I have been over the Shibboleth user and dev mailing lists and there seems to be a definite consensus that the skew should be defined in the Service Provider implementation as an interpretation of the assertion, as Shibboleth and many others do.  I am proposing that a recommendation be incorporated into the SAML 2.0 specification as it is in Kerberos RFC4120 (Kerberos V5).

8.2.  Recommended KDC Values

   Following is a list of recommended values for a KDC configuration.

      Minimum lifetime              5 minutes
      Maximum renewable lifetime    1 week
      Maximum ticket lifetime       1 day
      Acceptable clock skew         5 minutes
      Empty addresses               Allowed
      Proxiable, etc.               Allowed

A recommendation in the specification would settle some disputes as to who's job it is to interpret the assertion's conditions, specifically the NotBefore time-stamp.

Thank you in advance for your consideration,

- Joe

Joseph Valerio

Senior Solution Architect

Yale University
Shared Solution Group
Information Technology Services

phone: 203-432-1196
email: joseph.valerio@yale.edu
smail: 25 Science Park, New Haven, CT 06511

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]