OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Proposed DoNotCache Condition

>Every time you make an Authorization decision you are relying on the
>contents of the "SSO Assertion".

Well, in an indirect way that's true, but at least as I implemented it,
I don't hold on to the assertion once the session is established, since
the lifetime of the session can't be related back to the assertion
anyway (for the reasons you're noting, the condition is used to indicate
one-time use and is very narrow).

I remember IDs for replay detection, but that's all.

IOW, I rely on the session, and the session's original construction came
from the assertion.

>However, when the Browser Artifact Profile was developed, the majority
>was to use the validity interval in the way I described as a
>against replay attacks. This, in effect established that the semantic
>this element is Profile-specific. I would like to define a semantic for

>DoNotCache which is Profile independent.

I guess I don't see it as being that different, based on my
interpretation of the purpose of the SSO assertion as establishing a
session with its own properties. Subsequent to the validity period
expiring, the assertion can't be used for that purpose (session
establishment) and so caching it serves no purpose.

I don't remember reading anything in the document (at least on the POST
side) that contradicts that interpretation, and either way the effect is
the same, but I guess it leads to different conclusions as to the
profile-specificity of NotOnOrAfter.

>Also, there seems to be a strong view in the SAML TC that ultimately it
>is up to the relying party to determine what information to rely on.
>asserting party can attach caveats, such as Audience Restriction, but
>ultimately the relying party does what it wants.
>This seems to me to be quite different from the X.509/PKIX philosophy
>where they have a fetish about performing the signature validation and
>verification algorithms as defined in the specifications. But perhaps
>there will be little difference in practice.

I would agree with that, the rules for consumption seem to be looser and
more application-specific. That's why I wondered if there was a specific
use case in mind for this idea of caching an invalid (condition-wise)
assertion. Certainly if the definition of invalid is really
context-dependent, then having a context-independent way of saying
"whatever you do, don't keep this around" might be useful.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC