RE: [security-services] Multi-participant transactional workflows

[Irving Reid <Irving.Reid@baltimore.com>]

Title: RE: [security-services] Multi-participant transactional workflows

> From: Scott Cantor [mailto:cantor.2@osu.edu]
>
> > I thought the browser profile relied on the SenderVouches
> > confirmation method, and that such assertions are "bearer
> > tokens"; which means they may be used downstream of the web
> > server/servlet container. I thought it was only the artifact
> > that was single use.
>
> This is of course the main problem. In both profiles, the
> assertions are specified as short lived. Now, we've debated
> in the past what that means, but what it means to me is "not
> suitable for any non-immediate use other than SSO". If it
> means something else, I think short-lived is a bad description.

In the browser artifact profile, the assertions are required to use the "artifact" confirmation method rather than "SenderVouches". This makes them useless outside the profile, no matter what their lifetime is.

 - irving -

-----------------------------------------------------------------------------------------------------------------
The information contained in this message is confidential and is intended
for the addressee(s) only.  If you have received this message in error or
there are any problems please notify the originator immediately.  The 
unauthorised use, disclosure, copying or alteration of this message is 
strictly forbidden. Baltimore Technologies plc will not be liable for
direct, special, indirect or consequential damages arising from alteration of the
contents of this message by a third party or as a result of any virus being 
passed on.
 
This footnote confirms that this email message has been swept for Content Security threats, including
computer viruses.

http://www.baltimore.com

 
This footnote confirms that this email message has been swept by 
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.