OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Multi-participant transactional workflows

If this is correct

1. browser sends artifact
2. rp acquires assertion with subjectconf=artifact
3. rp confirms assertion using artifact

It would seem that the use of subject conf.=artifact affectively precludes
reuse (assuming rp's are not to accept such assertions).

Is there a case where the risk inherent in reuse is acceptable to the 
downstream
relying parties, such that it should be possible to acquire by artifact, 
sender vouches
assertions?

Ron

Irving Reid wrote:

> > From: Scott Cantor [mailto:cantor.2@osu.edu]
> >
> > > I thought the browser profile relied on the SenderVouches
> > > confirmation method, and that such assertions are "bearer
> > > tokens"; which means they may be used downstream of the web
> > > server/servlet container. I thought it was only the artifact
> > > that was single use.
> >
> > This is of course the main problem. In both profiles, the
> > assertions are specified as short lived. Now, we've debated
> > in the past what that means, but what it means to me is "not
> > suitable for any non-immediate use other than SSO". If it
> > means something else, I think short-lived is a bad description.
>
> In the browser artifact profile, the assertions are required to use 
> the "artifact" confirmation method rather than "SenderVouches". This 
> makes them useless outside the profile, no matter what their lifetime is.
>
>  - irving -
>
>
>
> -----------------------------------------------------------------------------------------------------------------
> The information contained in this message is confidential and is intended
> for the addressee(s) only. If you have received this message in error or
> there are any problems please notify the originator immediately. The
> unauthorised use, disclosure, copying or alteration of this message is
> strictly forbidden. Baltimore Technologies plc will not be liable for
> direct, special, indirect or consequential damages arising from 
> alteration of the
> contents of this message by a third party or as a result of any virus 
> being
> passed on.
>
> This footnote confirms that this email message has been swept for 
> Content Security threats, including
> computer viruses.
>
> http://www.baltimore.com
>
>
> This footnote confirms that this email message has been swept by
> Baltimore MIMEsweeper for Content Security threats, including
> computer viruses.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]