OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Dynamic Session Proposal

Hal,

Thanks for this. Comments inline:

ext John Kemp wrote:

<snip/>

> Various values must be agreed upon by the SA and SPs. This can be done  on
> line or via out of  band agreement. This mechanism is not discussed.

Agreed

> The issue of who is allowed to force an administrative logout is not
> addressed by this  proposal.

Agreed

> 
> In addition, there is the issue of the relationship between  Authentication
> Acts and Sessions.  If a session can be associated with more than one
> Authentication Act (i.e. Authentication  Statement) then there must be  
> some
> rule as to how the SA knows whether two AuthN Stmnts should  be  associated
> with the same session. I propose this be left as an implementation  option.
> However, this may require defining additional messages to this proposal  to
> allow an SP to  discover additional AuthN Stmnts that happened after it
> first learned about the session.

So, although I know the stated case where an SA may deal with multiple
AAs (ie. the AA and SA may not be the same entity) I do not think we
should preclude the AA and the SA being the same entity, in which case
an SP might NOT send an auth statement to the SA, but expect to get an
auth statement and a session statement.

> 
> Message Exchanges:
> 
>> From SP to SA
>

<snip/>

> End global session request - req - session id, type - user or admin
> 
> End global session request - resp - ok or denied

Is there a reason why you call this "global session request/response"
and the message from the SA to the SP "logout request/response"? Are
they not essentially the same messages?

> 
> Activity report - a set of pairs of session id and touch time, for every
> session it knows  about
> There is no response to an Activity report

I'm wondering if it wouldn't be better for this to be initiated by the
SA - ie. have the SA poll SPs prior to a "projected" (timeout-related)
logout, and if no activity is reported, send the real (timeout) logout
message?

> 
>> From SA to SP
> 
> 
> Logout req - session id, reason: 1. common timeout 2. SP-specific  
> timeout 3.
> User request 4.  admin request
> Logout response - ok
> 

See above.

- JohnK

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]