OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] Dynamic Sessions Proposal (long)


ext Anthony Nadalin wrote:
>  > I look forward to discussing this at the meeting, but comments are 
> also welcome in response to this email.
> 
> How does this solve the use case where sub-sessions are needed if 
> session is tied to a single AssertionID ? Did I miss something ?

The session authority for the "sub-session" accounts and maintains state 
for whatever is tied to the session ID. Sessions are all in the eye of 
the beholder. It doesn't matter whether you use the assertion or some 
other protocol element to indicate the session in the protocol. The 
session authority can still be hierarchically linked to a "higher 
authority".

> 
>  > When the Principal invokes the single logout process at a service
>  > provider, the service provider MUST send a <LogoutRequest> message to
>  > the session authority that provided the authentication service related
>  > to that session at the service provider.
> 
> What happend if a SP send the request to the AS and the SA never 
> responds or there is a timing issue in processing requests ? How does 
> the Principal know the outcome ? Not sure that I would trust a SP to 
> terminate sessions held by a SA.
> 

If the SP sends the message and there is no response from the SA, the SP 
is still free to log the Principal out at their site, and can inform the 
Principal that they were unable to communicate their logout to other 
participants in the session.

>  > Recipients MUST validate any signature present on the messages
>  > specified in this protocol. To be considered valid, the signature
>  > provided must be the signature of the <Issuer> contained in the
>  > message.
> 
> All Messages ?

I'm not I understand your reference. If there's a signature on the 
Request/Response message, you MUST validate it. The signature provided 
must be that of the Issuer identified in the message itself.

- JohnK


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]