OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] SSO validity period




RL 'Bob' Morgan wrote on 4/6/2004, 4:36 AM:
 >
 > So, is there a problem?  If the validity period conditions are to have
 > their straightforward function as an overall limit on the life of the
 > assertion as a processable thing, then yes, setting this time short to
 > deal with SSO threats pretty much eliminates its use for multi-tier
 > cases.  You can make an argument, and I guess Liberty does this, that
 > a profile is free to say:  well, in my profile we ignore the validity
 > period and process the assertion anyway (eg, in the case where an
 > issuer is processing its own assertion).

One thing to note is that in Liberty, the subsequent (non-SSO) use of
the token is between two known, authenticated, parties. so the issues
related to a bearer token being "stolen" are null and void (only the
entity in the "audience" can present the assertion and only to the
issuer).

So, the reason for the short validity period (in order to reduce the
risk of the SSO bearer token being stolen and presented by somebody
other than the intended user) is no longer a concern here.

That said, I still think there should be some guidance to this effect
and that there should be another timeframe included that even restricts
this window (of course, this second timeframe should be optional as it
is not needed in all use cases).

Conor




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]