[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Question regarding post-dating of tokens with WS-Trust
I received some additional questions from some RSA colleagues about the expected way of requesting and issuing post-dated tokens with WS-Trust. First: From section 5 it looks as if the <wst:Renewing> element also goes in the issue RST to request that the issued token be renewable. The thing that is not clear is whether the wst:AllowPostdating element also goes in the issue RST to request that the issued token not only be renewable but renewable for a time in the future. If this is the case then the sequence would probably be something like this: 1. Client sends an initial RST using the Issuance Binding to the STS that includes the wst:AllowPostDating and wst:Renewing elements. The wst:Timestamp in the RST indicates that this initial should immediately be valid (i.e. not postdated). 2. The STS returns a currently-valid token with the wst:AllowPostdating and wst:Renewing elements in the RSTR. 3. The Client now needs a postdated token, for example, to submit a batch processing job under its identity. The batch job will run at some future time (e.g. overnight). 4. Client sends its currently valid token to the STS in an RST using the Renewal Binding. The RST includes the previously issued token in the wst:RenewTarget element and a wst:Lifetime with a wsu:Created in the future. 5. The STS returns a token in an RSTR that has a wst:Lifetime element that has a wsu:Created element set to a time in the future. Is this the correct understanding of how it should work? Next: The other issue, implied by the description of the wsu:Created element, is that in the initial issue request, the Requester can request a postdated token simply by setting wst:Lifetime/wsu:Created to a time in the future and that this is independent of wst:AllowPostdating. Can someone clarify how these 2 items relate and should be used? Thanks! Rob Philpott RSA, the Security Division of EMC Senior Technologist | e-Mail: robert.philpott@rsa.com <rphilpott@rsa.com> | Office: (781) 515-7115 | Mobile: (617) 510-0893
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]