[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] 2.3.2.1.1 Validality of bounded assertions
> The model: The assertion is submitted to an interactive service and the > assertion bounds are specified NotBefore and NotOnorAfter. The > assertion is processed within the range (NotBefore,NotOnorAfter). > > Question: NotOnOrAfter is the upper bound of the validity of the > assertion. Is the upper bound similar to the max_life within DCE > (Distribute Computing Environment), which service is terminated upon > max_life? In the model, the interactive service would be terminated > upon reaching NotOnOrAfter. It's essentially dependent on what the use case is and how the use case wants to interpret "use the assertion". A lot of discussion has taken place about validity, and there are several new mechanisms that address validity for a specific purpose separate from these attributes. As an example, the new browser SSO profile can address short-liveness by using SubjectConfirmationData/@NotOnOrAfter and can communicate the lifetime of the user's session at the IdP using the AuthnStatement/@SessionNotOnOrAfter attribute. This leaves the condition attributes free to essentially "cap" the length of time the assertion might be used in some other context after SSO, such as forwarding to a web service. Or they might not be used at all. But it's not precisely dictated by the core spec. What is specified is that if the use case or profile says to evaluate the assertion at a specific point, if the condition isn't valid, then you should toss it. But not a MUST, it's up to the relying party. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]