[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] SSO validity period
On Tue, 6 Apr 2004, Conor P. Cahill wrote: > One thing to note is that in Liberty, the subsequent (non-SSO) use of > the token is between two known, authenticated, parties. so the issues > related to a bearer token being "stolen" are null and void (only the > entity in the "audience" can present the assertion and only to the > issuer). > > So, the reason for the short validity period (in order to reduce the > risk of the SSO bearer token being stolen and presented by somebody > other than the intended user) is no longer a concern here. > > That said, I still think there should be some guidance to this effect > and that there should be another timeframe included that even restricts > this window (of course, this second timeframe should be optional as it > is not needed in all use cases). I'm not sure which "this window" you're referring to, but I think that even if stolen bearer token issues go away in the scenario you describe, there is still a need for a generic validity period (as described in my other note, the "throw-away-after" date) in this case. - RL "Bob"