OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Proposed DoNotCache Condition

>> If not, what's the difference between DoNotCache and having a 
>> NotOnOrAfter of time(NULL) + allowable_skew?
>I don't exactly understand what you are proposing, but discussions
>the Browser/Artifact Profile, made it clear that the NotOnOrAfter time
>the the latest time you can BEGIN to use the contents of an assertion,
>the time you must STOP using the contents. 

Ah, I don't think I heard any of that, so I was definitely thinking
about it the other way. In the SSO case, you're really "done" using the
thing once you've initiated the remote session. I don't think of that
session as "continued use of the SSO assertion", but maybe that's just

In the case of attribute assertions in Shib, for example, the time
condition is used explicitly to tell the relying party when to throw
them out and query back again. That seems very natural to me.

>I don't know what you mean by time(NULL) or by allowable_skew, which is
>defined in the spec anywhere.

It's just C pseudocode for saying "current time plus some margin of
error" so that the thing is only valid transiently.

>If you look at the issues list, you will see I originally proposed that
>defined set of values for validity interval would be an acceptable way
>meet my requirement. I also made proposals around clock skew, which
>did not attract any interest.

Ok. Consider me on the side of either of those options I guess, but it's
not a big deal, obviously.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC