OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [security-services] Action Item 0177: Clarify OneTimeUse description (Updated)


Revised to mention clock skew.
==============================

Current text:

----
Indicates that the assertion SHOULD be used immediately by the relying party and MUST NOT be
retained for future use. Note that no relying party is required to perform caching. However, any that do so MUST observe this condition. This condition conveys one-time-use semantics, and is independent from the NotBefore and NotOnOrAfter condition information.

A SAML authority MUST NOT include more than one <OneTimeUse> element within a <Conditions>
element of an assertion.

For the purposes of determining the validity of the <Conditions> element, the <OneTimeUse> is
considered to always be valid.
----

Looking at this again, I am not sure what is wrong with it. Anything can be improved. How about?

----
In general, relying parties may choose to retain assertions, (or the information they contain in some other form) and apply them repeatedly in making decisions. The <OneTimeUse> element allows an authority to indicate that the information in the assertion is likely to change very soon and fresh information should be obtained for each use. An example would be an Authorization Decision Statement which was the result of a policy which specified access control which was a function of the time of day.

If system clocks in a distributed environment could be precisely synchronized, then this requirement could be met by careful use of the validity interval. However, since some clock skew between systems will always be present, combined with unknown and possibly variable transmission delays, there is no convenient way fo the issuer to appropriately limit the lifetime of an assertion without running a substantial risk that it will already have expired before it arrives.

The <OneTimeUse> element indicates that the assertion SHOULD be used immediately by the relying party and MUST NOT be retained for future use. Relying parties are always free to request a fresh assertion for every decision. However, implementations that choose to retain assertions for future use MUST observe the <OneTimeUse> element. This condition is independent from the NotBefore and NotOnOrAfter condition information.

A SAML authority MUST NOT include more than one <OneTimeUse> element within a <Conditions>
element of an assertion.

For the purposes of determining the validity of the <Conditions> element, the <OneTimeUse> is
considered to always be valid.
----

Well, it's longer... ;-)

Hal


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]