[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] SSO validity period
RL 'Bob' Morgan wrote on 4/6/2004, 4:36 AM: > > So, is there a problem? If the validity period conditions are to have > their straightforward function as an overall limit on the life of the > assertion as a processable thing, then yes, setting this time short to > deal with SSO threats pretty much eliminates its use for multi-tier > cases. You can make an argument, and I guess Liberty does this, that > a profile is free to say: well, in my profile we ignore the validity > period and process the assertion anyway (eg, in the case where an > issuer is processing its own assertion). One thing to note is that in Liberty, the subsequent (non-SSO) use of the token is between two known, authenticated, parties. so the issues related to a bearer token being "stolen" are null and void (only the entity in the "audience" can present the assertion and only to the issuer). So, the reason for the short validity period (in order to reduce the risk of the SSO bearer token being stolen and presented by somebody other than the intended user) is no longer a concern here. That said, I still think there should be some guidance to this effect and that there should be another timeframe included that even restricts this window (of course, this second timeframe should be optional as it is not needed in all use cases). Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]