OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Multi-participant transactional workflows

> I thought the browser profile relied on the SenderVouches 
> confirmation method, and that such assertions are "bearer 
> tokens"; which means they may be used downstream of the web 
> server/servlet container. I thought it was only the artifact 
> that was single use.

This is of course the main problem. In both profiles, the assertions are
specified as short lived. Now, we've debated in the past what that means,
but what it means to me is "not suitable for any non-immediate use other
than SSO". If it means something else, I think short-lived is a bad

I haven't thought about artifact nearly as much, but with POST, it's quite
evident to me that making the assertion short lived is pointless. It
prevents a useful subsequent application of the assertion, without adding
any security, since we intentionally fixed the profile (after Liberty
branched off with it, of course) to use the Response as the signed, time
limited envelope that provides the security in the profile.

This was the primary issue I mentioned briefly on the call as something I
think ought to be changed.

As I said, I don't know about artifact. It seems on the surface like a
similar possibility, but there might be other issues involved because of the
indirection in the profile.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]