OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Suggest adding IssueInstant attribute toRequest and Response

> The counter argument would be that this would require the 
> services and clients to have access to trusted time.

The counter-counter is that if you don't already, you have bigger
problems than this. I assumed that was a given (see the POST browser
profile, for example).

My feeling is either require the transport layer to prevent replay, or
do it in SAML, but don't open the door to replay attacks by ignoring it.

> At the very least we need to create new error codes
> RequestTimeOut
> RequestInFuture

These would be subcodes underneath Sender (or Requester), in my
proposal's parlance.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC