Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>


Chronological Thread 
  • From: "Cantor, Scott E." <>
  • To: "" <>
  • Subject: Re: [OpenSAML] Difference NotOnOrAfter in <SubjectConfirmationData> and <Conditions>
  • Date: Mon, 2 May 2011 19:20:22 +0000
  • Accept-language: en-US

>1. Do you recommend me verifying NotBefore timestamp in both
>SubjectConfirmation and Conditions? I should, correct? Even one is
>enclosed
>by the other(time range wise), but they have different meanings as you
>said.

You're obligated to. The validity of an assertion depends on both
generic/invariant processing rules and rules specific to profiles and the
context of use, such as when subject confirmation is involved because an
assertion is used for authentication.

>2. Where can I get technical description about 5 min and 1 hour? I just
>want
>to have a supportive document when later asked by others.

They're policy, nothing is going to absolutely dictate what the values
should be, particularly the assertion lifetime. But the profile neglects
to explicitly say the confirmation window should be short. That's either a
bug, or more likely a result of "everything is policy and risk management"
attitudes during drafting.

The Security Considerations document mentions it, but it's old text that
just mentions NotBefore and NonOnOrAfter and neglects to note which set
it's talking about. It's out of date.

I may propose an errata, probably to the definition of the "bearer"
confirmation method to catch a wider net.

>Thanks again. When you have a chance to come to Boston, please let me
>know. I
>should take you out for lunch.:)

I haven't been in awhile actually.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page