RE: [saml-dev] 2.3.2.1.1 Validality of bounded assertions

[Scott Cantor <cantor.2@osu.edu>]

> The model: The assertion is submitted to an interactive service and the
> assertion bounds are specified NotBefore and NotOnorAfter.  The
> assertion is processed within the range (NotBefore,NotOnorAfter).
> 
> Question:  NotOnOrAfter is the upper bound of the validity of the
> assertion.  Is the upper bound similar to the max_life within DCE
> (Distribute Computing Environment), which service is terminated upon
> max_life?  In the model, the interactive service would be terminated
> upon reaching NotOnOrAfter.

It's essentially dependent on what the use case is and how the use case
wants to interpret "use the assertion". A lot of discussion has taken place
about validity, and there are several new mechanisms that address validity
for a specific purpose separate from these attributes.

As an example, the new browser SSO profile can address short-liveness by
using SubjectConfirmationData/@NotOnOrAfter and can communicate the lifetime
of the user's session at the IdP using the
AuthnStatement/@SessionNotOnOrAfter attribute.

This leaves the condition attributes free to essentially "cap" the length of
time the assertion might be used in some other context after SSO, such as
forwarding to a web service. Or they might not be used at all.

But it's not precisely dictated by the core spec.

What is specified is that if the use case or profile says to evaluate the
assertion at a specific point, if the condition isn't valid, then you should
toss it. But not a MUST, it's up to the relying party.

-- Scott