OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: draft-sstc-session-management-01


Section 3, Requirements, item 8 states "...the session authority should have control over this [timeout periods]...".

It would seem that the ultimate authority for timeouts would be controlled by the service provider.  The service provider owns the resources and should have final say in the applicable security policies to be applied.

Second in authority might be the session authority, and lastly the user.  However, a session authority should be able to specify shorter timeout periods than those dictated by the service provider, but not longer.  Similar restraints would apply to the user specifying timeout periods -- shorter, but not longer than either the session authority or the service provider.

Make sense?

Mike Beach, CISSP
Associate Technical Fellow
IT Access and Security
The Boeing Company
(425) 865-4404


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]