OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] SSO validity period

On Tue, 6 Apr 2004, Conor P. Cahill wrote:

> One thing to note is that in Liberty, the subsequent (non-SSO) use of
> the token is between two known, authenticated, parties. so the issues
> related to a bearer token being "stolen" are null and void (only the
> entity in the "audience" can present the assertion and only to the
> issuer).
> So, the reason for the short validity period (in order to reduce the
> risk of the SSO bearer token being stolen and presented by somebody
> other than the intended user) is no longer a concern here.
> That said, I still think there should be some guidance to this effect
> and that there should be another timeframe included that even restricts
> this window (of course, this second timeframe should be optional as it
> is not needed in all use cases).

I'm not sure which "this window" you're referring to, but I think that
even if stolen bearer token issues go away in the scenario you describe,
there is still a need for a generic validity period (as described in my
other note, the "throw-away-after" date) in this case.

 - RL "Bob"

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]