8 messages in org.oasis-open.lists.security-servicesRe: [security-services] Multi-partici...| From | Sent On | Attachments |
|---|---|---|
| Eve L. Maler | Jul 23, 2003 2:03 pm | |
| Scott Cantor | Jul 23, 2003 9:05 pm | |
| Irving Reid | Jul 23, 2003 9:26 pm | |
| Scott Cantor | Jul 23, 2003 9:39 pm | |
| Eve L. Maler | Jul 24, 2003 7:04 am | |
| Polar Humenn | Jul 28, 2003 9:35 am | |
| Ron Monzillo | Aug 11, 2003 7:04 am | |
| Ron Monzillo | Aug 11, 2003 8:00 am |
| Subject: | Re: [security-services] Multi-participant transactional workflows | |
|---|---|---|
| From: | Ron Monzillo (rona...@sun.com) | |
| Date: | Aug 11, 2003 8:00:14 am | |
| List: | org.oasis-open.lists.security-services | |
If this is correct
1. browser sends artifact 2. rp acquires assertion with subjectconf=artifact 3. rp confirms assertion using artifact
It would seem that the use of subject conf.=artifact affectively precludes reuse (assuming rp's are not to accept such assertions).
Is there a case where the risk inherent in reuse is acceptable to the downstream relying parties, such that it should be possible to acquire by artifact, sender vouches assertions?
Ron
Irving Reid wrote:
From: Scott Cantor [mailto:cant...@osu.edu]
I thought the browser profile relied on the SenderVouches confirmation method, and that such assertions are "bearer tokens"; which means they may be used downstream of the web server/servlet container. I thought it was only the artifact that was single use.
This is of course the main problem. In both profiles, the assertions are specified as short lived. Now, we've debated in the past what that means, but what it means to me is "not suitable for any non-immediate use other than SSO". If it means something else, I think short-lived is a bad description.
In the browser artifact profile, the assertions are required to use the "artifact" confirmation method rather than "SenderVouches". This makes them useless outside the profile, no matter what their lifetime is.
- irving -
----------------------------------------------------------------------------------------------------------------- The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorised use, disclosure, copying or alteration of this message is strictly forbidden. Baltimore Technologies plc will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on.
This footnote confirms that this email message has been swept for Content Security threats, including computer viruses.
This footnote confirms that this email message has been swept by Baltimore MIMEsweeper for Content Security threats, including computer viruses.