[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] Proposed DoNotCache Condition
>> If not, what's the difference between DoNotCache and having a >> NotOnOrAfter of time(NULL) + allowable_skew? > >I don't exactly understand what you are proposing, but discussions around >the Browser/Artifact Profile, made it clear that the NotOnOrAfter time is >the the latest time you can BEGIN to use the contents of an assertion, not >the time you must STOP using the contents. Ah, I don't think I heard any of that, so I was definitely thinking about it the other way. In the SSO case, you're really "done" using the thing once you've initiated the remote session. I don't think of that session as "continued use of the SSO assertion", but maybe that's just me. In the case of attribute assertions in Shib, for example, the time condition is used explicitly to tell the relying party when to throw them out and query back again. That seems very natural to me. >I don't know what you mean by time(NULL) or by allowable_skew, which is not >defined in the spec anywhere. It's just C pseudocode for saying "current time plus some margin of error" so that the thing is only valid transiently. >If you look at the issues list, you will see I originally proposed that a >defined set of values for validity interval would be an acceptable way to >meet my requirement. I also made proposals around clock skew, which also >did not attract any interest. Ok. Consider me on the side of either of those options I guess, but it's not a big deal, obviously. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC