[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Client Logoff was: RE: Minimize server state maintenance
I am copying the usecase and requirements list because there is a strong feeling that ALL requirements should be directed there (and debated there). > [R-ClientLogoff] Client should have means of disposing of > auth credentials This needs to be defined carefully. I think most would agree in principle that a server logoff would mean that no one, even an attacker with stolen credentials can get service once a logoff occurred. But for a client logoff how strong do you want the guarentees to be? Disposing of credentials only means a user of that client computer is logged off. This is particularly important if the scheme allows impersonation, proxying, replicated clients or any other scenario in which other systems can legitimately use a copy of the credentials. A stronger requiurement would involve invoking a server logoff at the request of the client. This could entail various levels of assurance to the client that the logoff occurred. Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC