8 messages in org.oasis-open.lists.security-servicesRE: [security-services] Multi-partici...| From | Sent On | Attachments |
|---|---|---|
| Eve L. Maler | Jul 23, 2003 2:03 pm | |
| Scott Cantor | Jul 23, 2003 9:05 pm | |
| Irving Reid | Jul 23, 2003 9:26 pm | |
| Scott Cantor | Jul 23, 2003 9:39 pm | |
| Eve L. Maler | Jul 24, 2003 7:04 am | |
| Polar Humenn | Jul 28, 2003 9:35 am | |
| Ron Monzillo | Aug 11, 2003 7:04 am | |
| Ron Monzillo | Aug 11, 2003 8:00 am |
| Subject: | RE: [security-services] Multi-participant transactional workflows | |
|---|---|---|
| From: | Irving Reid (Irvi...@baltimore.com) | |
| Date: | Jul 23, 2003 9:26:45 pm | |
| List: | org.oasis-open.lists.security-services | |
Title: RE: [security-services] Multi-participant transactional workflows
From: Scott Cantor [mailto:cant...@osu.edu]
I thought the browser profile relied on the SenderVouches confirmation method, and that such assertions are "bearer tokens"; which means they may be used downstream of the web server/servlet container. I thought it was only the artifact that was single use.
This is of course the main problem. In both profiles, the assertions are specified as short lived. Now, we've debated in the past what that means, but what it means to me is "not suitable for any non-immediate use other than SSO". If it means something else, I think short-lived is a bad description.
In the browser artifact profile, the assertions are required to use the "artifact" confirmation method rather than "SenderVouches". This makes them useless outside the profile, no matter what their lifetime is.
- irving -
----------------------------------------------------------------------------------------------------------------- The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorised use, disclosure, copying or alteration of this message is strictly forbidden. Baltimore Technologies plc will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on.
This footnote confirms that this email message has been swept for Content Security threats, including computer viruses.
This footnote confirms that this email message has been swept by Baltimore MIMEsweeper for Content Security threats, including computer viruses.