OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Groups - sstc-saml-holder-of-key-browser-sso-draft-03.odt (sstc-saml-holder-of-key-browser-sso-draft-03.odt) uploaded

On Tue, Jun 17, 2008 at 11:17 AM, Scott Cantor <cantor.2@osu.edu> wrote:
> Sec 4, line 489: I think this is confusing in context because in fact as the profile is written, you're NOT issuing reusable assertions and they should still have short confirmation windows. In SSO now, the assertion *validity period* is independent of that anyway, even with bearer.

Can you explain this further?  What is it about these assertions that
makes them not reusable?

> You *could* make the confirmation window longer, but why bother?

Because it potentially decreases the number of times the user has to
authenticate at the IdP, which has advantages in terms of both
usability and security.

> The assertion is still targeted via audience at the SP, and it's an SP-driven profile, so I don't think this is really the right vehicle to be pushing reusable assertions.

Reusable assertions are not being "pushed" in this profile.  Rather
reusable assertions are a by-product of this profile.  If not, can you
explain why not?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]