Re: [kitten] GSS-API and timeouts
Simo Sorce <simo@redhat.com> Wed, 04 April 2012 15:49 UTC
Return-Path: <simo@redhat.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71A3721F8779 for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 08:49:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oUDpktFret7e for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 08:49:01 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id EDB9F21F8772 for <kitten@ietf.org>; Wed, 4 Apr 2012 08:49:00 -0700 (PDT)
Received: from int-mx12.intmail.prod.int.phx2.redhat.com (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q34Fn0CA011045 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 4 Apr 2012 11:49:00 -0400
Received: from [10.3.113.104] (ovpn-113-104.phx2.redhat.com [10.3.113.104]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q34Fmw3C028574; Wed, 4 Apr 2012 11:48:59 -0400
From: Simo Sorce <simo@redhat.com>
To: Simon Josefsson <simon@josefsson.org>
In-Reply-To: <87obr7lfqc.fsf@latte.josefsson.org>
References: <87obr7lfqc.fsf@latte.josefsson.org>
Content-Type: text/plain; charset="UTF-8"
Organization: Red Hat, Inc.
Date: Wed, 04 Apr 2012 11:48:58 -0400
Message-ID: <1333554538.22628.292.camel@willson.li.ssimo.org>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.25
Cc: kitten@ietf.org
Subject: Re: [kitten] GSS-API and timeouts
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2012 15:49:01 -0000
On Wed, 2012-04-04 at 16:43 +0200, Simon Josefsson wrote: > When implementing the GSS-API part of OPENID20/SAML20 I noticed that the > processes can hang waiting for a long time. Server may want to wait one > minute or more to allow a user to finish the IdP authentication. > > I think Nico discussed asynchronous GSS-API before. However it is a > significant amount of work to specify and implement. I think it is > simpler for applications to create a separate process or thread for the > GSS-API part, and to enforce its own timeouts. Sometimes there are > other reasons for having separate processes/threads anyway. > > Still, even an asynchronous interface may want to use some timeouts > where authentication is no longer expected to ever finish. So it is not > clear that an asynchronous interface is the solution to this problem. > > Does anyone have any thoughts on what a reasonable timeout should be? > > Or should GSS-API initiators and acceptors never timeout, but just hang > indefinitely in case the authentication eventually completes? > > Of course, we could have a new GSS-API interface to enforce a timeout. > For example: > > OM_uint32 > gss_sec_context_timeout (OM_uint32 *minor_status, > OM_uint32 timeout); > > or something more general, in case there are similar concerns for other > functions: > > > OM_uint32 > gss_set_timeouts (OM_uint32 *minor_status, > OM_uint32 sec_context_timeout, > OM_uint32 micwrap_timeout); > > FWIW, in my implementation I'll probably use a 5 minute timeout or > something like that. The problem I see with this kind of calls is that they affect the whole process. What if you have 2 libraries with conflicting needs and both use gssapi ? Simo. -- Simo Sorce * Red Hat, Inc * New York
- Re: [kitten] GSS-API and timeouts Martin Rex
- [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts William Mills
- Re: [kitten] GSS-API and timeouts Simo Sorce
- Re: [kitten] GSS-API and timeouts Nico Williams
- Re: [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts Martin Rex
- Re: [kitten] GSS-API and timeouts Nico Williams
- Re: [kitten] GSS-API and timeouts Nico Williams
- Re: [kitten] GSS-API and timeouts William Mills
- Re: [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts Russ Allbery
- Re: [kitten] GSS-API and timeouts Nico Williams
- Re: [kitten] GSS-API and timeouts Luke Howard
- Re: [kitten] GSS-API and timeouts Russ Allbery