[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Dynamic Session Proposal
Hal, Thanks for this. Comments inline: ext John Kemp wrote: <snip/> > Various values must be agreed upon by the SA and SPs. This can be done on > line or via out of band agreement. This mechanism is not discussed. Agreed > The issue of who is allowed to force an administrative logout is not > addressed by this proposal. Agreed > > In addition, there is the issue of the relationship between Authentication > Acts and Sessions. If a session can be associated with more than one > Authentication Act (i.e. Authentication Statement) then there must be > some > rule as to how the SA knows whether two AuthN Stmnts should be associated > with the same session. I propose this be left as an implementation option. > However, this may require defining additional messages to this proposal to > allow an SP to discover additional AuthN Stmnts that happened after it > first learned about the session. So, although I know the stated case where an SA may deal with multiple AAs (ie. the AA and SA may not be the same entity) I do not think we should preclude the AA and the SA being the same entity, in which case an SP might NOT send an auth statement to the SA, but expect to get an auth statement and a session statement. > > Message Exchanges: > >> From SP to SA > <snip/> > End global session request - req - session id, type - user or admin > > End global session request - resp - ok or denied Is there a reason why you call this "global session request/response" and the message from the SA to the SP "logout request/response"? Are they not essentially the same messages? > > Activity report - a set of pairs of session id and touch time, for every > session it knows about > There is no response to an Activity report I'm wondering if it wouldn't be better for this to be initiated by the SA - ie. have the SA poll SPs prior to a "projected" (timeout-related) logout, and if no activity is reported, send the real (timeout) logout message? > >> From SA to SP > > > Logout req - session id, reason: 1. common timeout 2. SP-specific > timeout 3. > User request 4. admin request > Logout response - ok > See above. - JohnK
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]