[kitten] GSS-API and timeouts
Simon Josefsson <simon@josefsson.org> Wed, 04 April 2012 14:43 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CABD321F87CD for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 07:43:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.785
X-Spam-Level:
X-Spam-Status: No, score=-99.785 tagged_above=-999 required=5 tests=[AWL=0.124, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_COM=0.553, HOST_EQ_STATICB=1.372, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LzmCzVmRgOSW for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 07:43:48 -0700 (PDT)
Received: from yxa-v.extundo.com (static-213-115-179-173.sme.bredbandsbolaget.se [213.115.179.173]) by ietfa.amsl.com (Postfix) with ESMTP id A263321F8762 for <kitten@ietf.org>; Wed, 4 Apr 2012 07:43:47 -0700 (PDT)
Received: from latte.josefsson.org (static-213-115-179-130.sme.bredbandsbolaget.se [213.115.179.130]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q34EhdtF028127 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <kitten@ietf.org>; Wed, 4 Apr 2012 16:43:41 +0200
X-Hashcash: 1:22:120404:kitten@ietf.org::ZgEAJKNThgriaMZz:S0fh
From: Simon Josefsson <simon@josefsson.org>
To: kitten@ietf.org
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
Date: Wed, 04 Apr 2012 16:43:39 +0200
Message-ID: <87obr7lfqc.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130004 (Ma Gnus v0.4) Emacs/24.0.94 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97.3 at yxa-v
X-Virus-Status: Clean
Subject: [kitten] GSS-API and timeouts
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2012 14:43:48 -0000
When implementing the GSS-API part of OPENID20/SAML20 I noticed that the processes can hang waiting for a long time. Server may want to wait one minute or more to allow a user to finish the IdP authentication. I think Nico discussed asynchronous GSS-API before. However it is a significant amount of work to specify and implement. I think it is simpler for applications to create a separate process or thread for the GSS-API part, and to enforce its own timeouts. Sometimes there are other reasons for having separate processes/threads anyway. Still, even an asynchronous interface may want to use some timeouts where authentication is no longer expected to ever finish. So it is not clear that an asynchronous interface is the solution to this problem. Does anyone have any thoughts on what a reasonable timeout should be? Or should GSS-API initiators and acceptors never timeout, but just hang indefinitely in case the authentication eventually completes? Of course, we could have a new GSS-API interface to enforce a timeout. For example: OM_uint32 gss_sec_context_timeout (OM_uint32 *minor_status, OM_uint32 timeout); or something more general, in case there are similar concerns for other functions: OM_uint32 gss_set_timeouts (OM_uint32 *minor_status, OM_uint32 sec_context_timeout, OM_uint32 micwrap_timeout); FWIW, in my implementation I'll probably use a 5 minute timeout or something like that. /Simon
- Re: [kitten] GSS-API and timeouts Martin Rex
- [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts William Mills
- Re: [kitten] GSS-API and timeouts Simo Sorce
- Re: [kitten] GSS-API and timeouts Nico Williams
- Re: [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts Martin Rex
- Re: [kitten] GSS-API and timeouts Nico Williams
- Re: [kitten] GSS-API and timeouts Nico Williams
- Re: [kitten] GSS-API and timeouts William Mills
- Re: [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts Russ Allbery
- Re: [kitten] GSS-API and timeouts Nico Williams
- Re: [kitten] GSS-API and timeouts Luke Howard
- Re: [kitten] GSS-API and timeouts Russ Allbery