OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-sx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: AI-2006-04-04-06 security consideration regarding token cancellation

I propose the following text to be added to the Security Consideration
section:

Both token cancellation bindings defined in this specification require
that the STS MUST NOT validate or renew the token after it has been
successfully canceled. The STS must take care to ensure that the token
is properly invalidated before confirming the cancel request or sending
the cancel notification to the client. This can be more difficult if the
token validation or renewal logic is physically separated from the
issuance and cancellation logic. It is out of scope of this spec how the
STS propagates the token cancellation to its other components. If STS
cannot ensure that the token was properly invalidated it MUST NOT send
the cancel notification or confirm the cancel request to the client.

Thanks,
--Jan

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]