[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Revised: Input to use case meeting
Ooops! The following paragraph is a little bit "shady". > 4. Clock & State Dependencies > ---------------------------------------- > S2ML v08.a: Not specified. Entitlements have validity but that is not equivalent to authentication time-out. > Purple(tm): "Ticket" time-out (auth. state-holding requirement) is governed by receiving party (only) although > Site A could in case of credential pulling indicate a max value it will hold a credential in storage. You have three timings (at least) to consider: 1. Ticket time-out. This should be short as there is no need for long-lived tickets, and state-keeping in servers makes such things a potential problem. S2ML assumes strict clock synchronization between partners which makes short-lived objects very problematic. Purple(tm) depends *only* on the receiver's clock. 2. Assertion timeout/validity. A policy-oriented interval rather than technical issue. From minutes to weeks. Receiver should use difference rather than absolute values in order to not run into problems. 3. Web-session timout. Outside of spec. IMO. Site-dependent setting. Regards Anders Rundgren CTO X-OBI
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC