Skip to Content.
Sympa Menu

shibboleth-dev - Re: NameIdentifier TTL

Subject: Shibboleth Developers

List archive

Re: NameIdentifier TTL


Chronological Thread 
  • From: Tom Scavo <>
  • To:
  • Subject: Re: NameIdentifier TTL
  • Date: Sun, 11 Dec 2005 10:52:49 -0500
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=hWoj5JsiLGbFv2JZ0TO7pWF3Mu20rcl3iLNf2Uga8VP9gzc5oiR/QXXOrW1e34fvfWlFEDvyTxQKZ/bYhM3B4aTAPYWy0Za/7K7/uazV1sTgCnl38pQp0qrN0pkRHcdakHDHy7O/kTP2GEGo7P+rI6VBSXUTuu+gcHEltFmrn1Y=
On 12/10/05, Scott Cantor
<>
wrote:
>
> If you overload the TTL of the cert with the TTL of the identifier in order
> to combine the two concepts, then I suppose the simplest way to implement
> that is to set the assertion's expiration to be the same and then copy that
> over to the certificate.

Are you suggesting to use the Conditions element for this purpose? I
thought about that, but this is not done today and would introduce new
semantics into the assertion. Today, as far as I can tell, the life
of the assertion (given by the Conditions) and the life of the
NameIdentifier are totally separate. Specifically, the life of an
authentication assertion is fixed while the life of an attribute
assertion is dictated by the longest-lived attribute.

On second thought, using Conditions to convey the NameIdentifier TTL
contradicts the short lifetime (5 min) principle associated with
bearer assertions. Is there any alternative?

Thanks,
Tom

Archive powered by MHonArc 2.6.16.

Top of Page