On Jan 29, 2014, at 7:32 PM, Richard Newman <[email protected]> wrote:
>> I've had clock skew problems before but that was when I tested with the >> MockMyID code. In that case I simply set the assertion creation date a few >> minutes in the past to get around that. > > I've had to dramatically extend my mocked assertion durations to get auth to > work -- starting them 350 seconds in the past, and extending them 1750 > seconds past the usual validity period. Without that hack I get > invalid-timestamp for every token request. That is crazy. I assume that for server-server stuff we can simply properly sync them to NTP. But the more important question is, could clients with bad clocks (which is very common i think) get in trouble here? Is there anything in the APIs or objects that are send around that could go bad with a bad local time? S. _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
