IETF Logo Mail Archive

Re: [kitten] GSS-API and timeouts

William Mills <wmills@yahoo-inc.com> Wed, 04 April 2012 17:35 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB7D421F86DA for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 10:35:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.484
X-Spam-Level:
X-Spam-Status: No, score=-16.484 tagged_above=-999 required=5 tests=[AWL=1.115, BAYES_00=-2.599, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mwcDUAowin-0 for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 10:35:46 -0700 (PDT)
Received: from nm10.bullet.mail.ne1.yahoo.com (nm10.bullet.mail.ne1.yahoo.com [98.138.90.73]) by ietfa.amsl.com (Postfix) with SMTP id 9898721F8559 for <kitten@ietf.org>; Wed, 4 Apr 2012 10:35:46 -0700 (PDT)
Received: from [98.138.90.48] by nm10.bullet.mail.ne1.yahoo.com with NNFMP; 04 Apr 2012 17:35:43 -0000
Received: from [98.138.87.12] by tm1.bullet.mail.ne1.yahoo.com with NNFMP; 04 Apr 2012 17:35:43 -0000
Received: from [127.0.0.1] by omp1012.mail.ne1.yahoo.com with NNFMP; 04 Apr 2012 17:35:43 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 497410.11997.bm@omp1012.mail.ne1.yahoo.com
Received: (qmail 40241 invoked by uid 60001); 4 Apr 2012 17:35:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1333560942; bh=Yarcl6uYI33/R2tCfs1TJwGJxrIePX4C+5uCH3vhQ5s=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Ah6aG6jaSqaXWh7QJxHuNwv85rNg9mRHfKEXaT0HZWIILfsXUhAzxZGp6w0rLU9bsBcvSvZFe3qll9TS8rpmHra0fruHe6LWfbstjMZRZARZKAonkjkkmGa0CMIYBEhTze2tdWADQFUlS8iXJdvn8Dh6Hm7Djoy5fKKngtPQKDE=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=lhSjSK2vYst/FBZZm2s5lSuegRD2D5Wyuoz2OTPfpHkNodiasCHcl+jD7qWHmou/2IJowcaDorkQ6Lod+gr1Cd7toxx8CVsFHrPpV28EICuAbOdE8bp7j9Yyw6DoCMQ1+2+lTFVujY8TI1Gg0Ljv6Zm49sQd1xWll/GOwe/EuNw=;
X-YMail-OSG: 5vTSAqQVM1mRN1rz6UufH2J9cQIa_Yka9TH5rjFzFUii1tG zs_4fz3hncYn6qEqbmngHNZPR996mimRHu90ZQUvRhZ4gGOZej_OpECt7haS GaFrKoIoI86JfJO5St7bldS2tQcvw0FdRU2X.tJPOZ4KIOVF2cHMTF4VfmH3 qI.02YoAA60RW2JkqRvrgYoNfUjp8CZ1Y2xSozz7ii.GqRlRPpKF298kFPVX 1x6gbS_VOhqLJg5qE4YEJR6OFcHo9v1TYubqMuWGuQBUsprY12r4G8f_g_d1 7qbASdvQa_UzYXMczkrxpY9nUkdRtwSX7duM0nTNtipmw9CXsLgtSl869pRt xG6Dphlxlw_B_SxMUxRbxem5kt4vkXWi58vtaFrzEcc2elNc1MwyPs_Q3FrW 4cthk_YwLinH5aneL4Yu_6IW8J8_Y6A9cQROvHCbrLyBYqA4uSFA-
Received: from [209.131.62.115] by web31804.mail.mud.yahoo.com via HTTP; Wed, 04 Apr 2012 10:35:42 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.117.340979
References: <87obr7lfqc.fsf@latte.josefsson.org> <1333554083.71760.YahooMailNeo__8959.87156914107$1333554099$gmane$org@web31804.mail.mud.yahoo.com> <87limbju45.fsf@latte.josefsson.org>
Message-ID: <1333560942.30565.YahooMailNeo@web31804.mail.mud.yahoo.com>
Date: Wed, 04 Apr 2012 10:35:42 -0700
From: William Mills <wmills@yahoo-inc.com>
To: Simon Josefsson <simon@josefsson.org>
In-Reply-To: <87limbju45.fsf@latte.josefsson.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] GSS-API and timeouts
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2012 17:35:47 -0000





>________________________________
> From: Simon Josefsson <simon@josefsson.org>
>To: William Mills <wmills@yahoo-inc.com> 
>Cc: "kitten@ietf.org" <kitten@ietf.org> 
>Sent: Wednesday, April 4, 2012 10:15 AM
>Subject: Re: GSS-API and timeouts
> 
>William Mills <wmills@yahoo-inc.com> writes:
>
>> As a result of the OpenID flow/redirect don't you get a complete
>> credential that can be used to finish the process?  Can't you connect
>> again, get a challenge perhaps, submit that completed credential and
>> be done?  That's very similar to what I did in the OAUTH/SASL thing,
>> so I'm replaying my one trick :)
>
>The problem is that the browser interaction in OPENID20/SAML20 can take
>a long time because it is interactive, and the server doesn't know when
>to stop waiting.
>
>/Simon
>

Yes, but if you can support an async style thing then you can just fail
the first auth, hold the connection open, and let the client do a second 

auth.  Server then limits the total number of allowed failed auth transactions.


>>
>>
>>
>>
>>
>>
>>>________________________________
>>> From: Simon Josefsson <simon@josefsson.org>
>>>To: kitten@ietf.org 
>>>Sent: Wednesday, April 4, 2012 7:43 AM
>>>Subject: [kitten] GSS-API and timeouts
>>> 
>>>When implementing the GSS-API part of OPENID20/SAML20 I noticed that the
>>>processes can hang waiting for a long time.  Server may want to wait one
>>>minute or more to allow a user to finish the IdP authentication.
>>>
>>>I think Nico discussed asynchronous GSS-API before.  However it is a
>>>significant amount of work to specify and implement.  I think it is
>>>simpler for applications to create a separate process or thread for the
>>>GSS-API part, and to enforce its own timeouts.  Sometimes there are
>>>other reasons for having separate processes/threads anyway.
>>>
>>>Still, even an asynchronous interface may want to use some timeouts
>>>where authentication is no longer expected to ever finish.  So it is not
>>>clear that an asynchronous interface is the solution to this problem.
>>>
>>>Does anyone have any thoughts on what a reasonable timeout should be?
>>>
>>>Or should GSS-API initiators and acceptors never timeout, but just hang
>>>indefinitely in case the authentication eventually completes?
>>>
>>>Of course, we could have a new GSS-API interface to enforce a timeout.
>>>For example:
>>>
>>>     OM_uint32
>>>     gss_sec_context_timeout (OM_uint32 *minor_status,
>>>                              OM_uint32 timeout);
>>>
>>>or something more general, in case there are similar concerns for other
>>>functions:
>>>
>>>
>>>     OM_uint32
>>>     gss_set_timeouts (OM_uint32 *minor_status,
>>>                       OM_uint32 sec_context_timeout,
>>>                       OM_uint32 micwrap_timeout);
>>>
>>>FWIW, in my implementation I'll probably use a 5 minute timeout or
>>>something like that.
>>>
>>>/Simon
>>>_______________________________________________
>>>Kitten mailing list
>>>Kitten@ietf.org
>>>https://www.ietf.org/mailman/listinfo/kitten
>>>
>>>
>>>
>> _______________________________________________
>> Kitten mailing list
>> Kitten@ietf.org
>> https://www.ietf.org/mailman/listinfo/kitten
>
>
>

v2.23.0 | Report a Bug | By Email