OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-use message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Client Logoff was: RE: Minimize server state maintenance

I am copying the usecase and requirements list because there is a strong
feeling that ALL requirements should be directed there (and debated there).

> [R-ClientLogoff] Client should have means of disposing of 
> auth credentials

This needs to be defined carefully. I think most would agree in principle
that a server logoff would mean that no one, even an attacker with stolen
credentials can get service once a logoff occurred.

But for a client logoff how strong do you want the guarentees to be?
Disposing of credentials only means a user of that client computer is logged
off. This is particularly important if the scheme allows impersonation,
proxying, replicated clients or any other scenario in which other systems
can legitimately use a copy of the credentials.

A stronger requiurement would involve invoking a server logoff at the
request of the client. This could entail various levels of assurance to the
client that the logoff occurred.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC