When designing passtokens, you need to take into account both functional and design considerations.
Functional Requirements
- Allow a verified user in one security domain to perform an automatic signon in another domain. That signon can fail if the target domain refuses to verify the user.
- Avoid creating a security hole that would allow users to bypass the normal signon mechanism.
Design Considerations
- The passtoken contents and passtoken processing (generation and verification) is left to the
ESM Module (and its associated ESM) that generates and consumes a given passtoken.
- Passtoken operations fail gracefully if they are disabled, or an
ESM Module used by one of the security domains does not support passtokens.
- Passtokens should be hard to forge or replay.
- It should be difficult or impossible to derive sensitive information (such as passwords) from passtokens. This requirement is flexible, if passtokens themselves are mostly exposed only on the wire, because it's likely that users will either be using SSL or exposing passwords on the wire, which is a greater security risk.
- A given passtoken is specific to a user and signon group.
- Passtokens should be single-use or short-lived. The mechanism for achieving that is left to the
ESM Module.
