IETF Logo Mail Archive

[kitten] GSS-API and timeouts

Simon Josefsson <simon@josefsson.org> Wed, 04 April 2012 14:43 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CABD321F87CD for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 07:43:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.785
X-Spam-Level:
X-Spam-Status: No, score=-99.785 tagged_above=-999 required=5 tests=[AWL=0.124, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_COM=0.553, HOST_EQ_STATICB=1.372, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LzmCzVmRgOSW for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 07:43:48 -0700 (PDT)
Received: from yxa-v.extundo.com (static-213-115-179-173.sme.bredbandsbolaget.se [213.115.179.173]) by ietfa.amsl.com (Postfix) with ESMTP id A263321F8762 for <kitten@ietf.org>; Wed, 4 Apr 2012 07:43:47 -0700 (PDT)
Received: from latte.josefsson.org (static-213-115-179-130.sme.bredbandsbolaget.se [213.115.179.130]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id q34EhdtF028127 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <kitten@ietf.org>; Wed, 4 Apr 2012 16:43:41 +0200
X-Hashcash: 1:22:120404:kitten@ietf.org::ZgEAJKNThgriaMZz:S0fh
From: Simon Josefsson <simon@josefsson.org>
To: kitten@ietf.org
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
Date: Wed, 04 Apr 2012 16:43:39 +0200
Message-ID: <87obr7lfqc.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130004 (Ma Gnus v0.4) Emacs/24.0.94 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97.3 at yxa-v
X-Virus-Status: Clean
Subject: [kitten] GSS-API and timeouts
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2012 14:43:48 -0000

When implementing the GSS-API part of OPENID20/SAML20 I noticed that the
processes can hang waiting for a long time.  Server may want to wait one
minute or more to allow a user to finish the IdP authentication.

I think Nico discussed asynchronous GSS-API before.  However it is a
significant amount of work to specify and implement.  I think it is
simpler for applications to create a separate process or thread for the
GSS-API part, and to enforce its own timeouts.  Sometimes there are
other reasons for having separate processes/threads anyway.

Still, even an asynchronous interface may want to use some timeouts
where authentication is no longer expected to ever finish.  So it is not
clear that an asynchronous interface is the solution to this problem.

Does anyone have any thoughts on what a reasonable timeout should be?

Or should GSS-API initiators and acceptors never timeout, but just hang
indefinitely in case the authentication eventually completes?

Of course, we could have a new GSS-API interface to enforce a timeout.
For example:

     OM_uint32
     gss_sec_context_timeout (OM_uint32 *minor_status,
                              OM_uint32 timeout);

or something more general, in case there are similar concerns for other
functions:


     OM_uint32
     gss_set_timeouts (OM_uint32 *minor_status,
                       OM_uint32 sec_context_timeout,
                       OM_uint32 micwrap_timeout);

FWIW, in my implementation I'll probably use a 5 minute timeout or
something like that.

/Simon

v2.23.0 | Report a Bug | By Email