SP clock skew for Weblogic

Russell J Yount rjy at cmu.edu
Wed Nov 9 16:43:51 GMT 2011

Actually in RFC4120 (Kerberos V5) there is a good deal of discussion of clock skew issues and recommended values for acceptable clock Skew...

8.2.  Recommended KDC Values

   Following is a list of recommended values for a KDC configuration.

      Minimum lifetime              5 minutes
      Maximum renewable lifetime    1 week
      Maximum ticket lifetime       1 day
      Acceptable clock skew         5 minutes
      Empty addresses               Allowed
      Proxiable, etc.               Allowed


-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Wednesday, November 09, 2011 11:34 AM
To: users at shibboleth.net
Subject: Re: SP clock skew for Weblogic

On 11/9/11 11:01 AM, "Joseph Valerio" <joseph.valerio at yale.edu> wrote:
>    I know that shib's SP allows
>    for such a skew and I completely agree that this setting belongs in
>    the SP, but is there anything in the SAML 2.0 specification that
>    hints to such a practice.

No, this is in the domain of "how do you implement a protocol that requires clock synchronization?". I wouldn't expect the Kerberos RFC to say anything about it either.

That said, there's never going to be an implementation guidelines document for SAML, so failing that, my suggestion would be that you send a comment to the security-services-comment list suggesting an errata to the spec about it. We add SHOULDs for implementers when it makes sense.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list