Subject: RE: draft-sstc-session-management-01
Section 3, Requirements, item 8 states "...the session authority should have control over this [timeout periods]...".
It would seem that the ultimate authority for timeouts would be controlled by the service provider. The service provider owns the resources and should have final say in the applicable security policies to be applied.
Second in authority might be the session authority, and lastly the user. However, a session authority should be able to specify shorter timeout periods than those dictated by the service provider, but not longer. Similar restraints would apply to the user specifying timeout periods -- shorter, but not longer than either the session authority or the service provider.
Mike Beach, CISSP
Associate Technical Fellow
IT Access and Security
The Boeing Company