Uploaded image for project: 'OASIS Security Services (SAML) TC'
  1. OASIS Security Services (SAML) TC
  2. SECURITY-15

PE: Add guidance for implementers on clock skew

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Applied
    • Affects Version/s: 2.0
    • Fix Version/s: SAML 2.0 + Approved Errata 05
    • Component/s: Core
    • Labels:
      None
    • Proposal:
      Hide

      Add text to Core, after line 314:
      "SAML system entities SHOULD allow for reasonable clock skew between systems when interpreting time instants and enforcing security policies based on them. Tolerances of 3-5 minutes are reasonable defaults, but allowing for configurability is a suggested practice in implementations."

      Add text to Core, after line 759:
      "As noted in section 1.3.3, relying parties SHOULD allow for reasonable clock skew in the interpretation of both values."

      Add text to Core, after line 887:
      "As noted in section 1.3.3, relying parties SHOULD allow for reasonable clock skew in the interpretation of both values."

      Add text to Core, at line 2538:
      "As noted in that same section, relying parties SHOULD allow for reasonable clock skew in the interpretation of this value."

      Show
      Add text to Core, after line 314: "SAML system entities SHOULD allow for reasonable clock skew between systems when interpreting time instants and enforcing security policies based on them. Tolerances of 3-5 minutes are reasonable defaults, but allowing for configurability is a suggested practice in implementations." Add text to Core, after line 759: "As noted in section 1.3.3, relying parties SHOULD allow for reasonable clock skew in the interpretation of both values." Add text to Core, after line 887: "As noted in section 1.3.3, relying parties SHOULD allow for reasonable clock skew in the interpretation of both values." Add text to Core, at line 2538: "As noted in that same section, relying parties SHOULD allow for reasonable clock skew in the interpretation of this value."
    • Resolution:
      Hide

      Accepted as proposed on TC call Nov 29th.
      http://lists.oasis-open.org/archives/security-services/201111/msg00044.html

      Show
      Accepted as proposed on TC call Nov 29th. http://lists.oasis-open.org/archives/security-services/201111/msg00044.html

      Description

      Some implementers are not clear on how to deal with clock skew issues when interpreting security-sensitive time values such as NotBefore or NotOnOrAfter attributes. We've been asked to include suggestions and guidance on this.

        Attachments

          Activity

            People

            • Assignee:
              cantor.2 Scott Cantor (Inactive)
              Reporter:
              cantor.2 Scott Cantor (Inactive)
            • Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: