OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-use message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Revised: Input to use case meeting

Ooops! The following paragraph is a little bit "shady".

> 4. Clock & State Dependencies
> ----------------------------------------
> S2ML v08.a: Not specified. Entitlements have validity but that is not equivalent to authentication time-out.
> Purple(tm): "Ticket" time-out (auth. state-holding requirement) is governed by receiving party (only) although
> Site A could in case of credential pulling indicate a max value it will hold a credential in storage.

You have three timings (at least) to consider:
1. Ticket time-out.  This should be short as there is no need for long-lived tickets, and state-keeping in servers
makes such things a potential problem.  S2ML assumes strict clock synchronization between partners which makes
short-lived objects very problematic.  Purple(tm) depends *only* on the receiver's clock.
2. Assertion timeout/validity.   A policy-oriented interval rather than technical issue.  From minutes to weeks.
Receiver should use difference rather than absolute values in order to not run into problems.
3. Web-session timout.  Outside of spec. IMO.  Site-dependent setting.

Anders Rundgren

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC