[Design] [Cosmo] [Proposal] Anonymous login with Ticket + Password
Brian Moseley
bcm at osafoundation.org
Mon Aug 21 15:03:54 PDT 2006
On 8/21/06, Ed Bindl <ebindl1 at osafoundation.org> wrote:
> 1.2 Ticket ID Scheme
>
> The only condition imposed on ticket IDs is that the ticket ID MUST
> be unique on a resource at any given time. However, since the ticket
> ID is used as proof that a principal is in possession of the ticket,
> a server SHOULD select a ticket ID scheme such that it would be
> sufficiently difficult for an adversary in a way to guess or predict
> a ticket ID.
that doesn't preclude my suggestion.
> Another point that we are not considering is that Tickets can be
> limited on how long they are valid and how many uses they allow.
> This may allow for people that are concerned with others passing
> along there URL with the ticket enclosed to put a shorter timeout on
> the ticket, or possibly only issue 1 time use tickets (Limited use
> tickets are currently not supported by cosmo).
yea, but those features don't support long term sharing very well.
More information about the Design
mailing list