IETF Logo Mail Archive

Re: KITTEN: IETF 75 - 76

Nicolas Williams <Nicolas.Williams@sun.com> Tue, 01 September 2009 17:41 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 21AD928C8D8 for <kitten@core3.amsl.com>; Tue, 1 Sep 2009 10:41:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.857
X-Spam-Level:
X-Spam-Status: No, score=-5.857 tagged_above=-999 required=5 tests=[AWL=0.189, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2SA9WiWWQXRA for <kitten@core3.amsl.com>; Tue, 1 Sep 2009 10:41:55 -0700 (PDT)
Received: from sca-ea-mail-3.sun.com (sca-ea-mail-3.Sun.COM [192.18.43.21]) by core3.amsl.com (Postfix) with ESMTP id EAA533A67DB for <kitten@ietf.org>; Tue, 1 Sep 2009 10:41:54 -0700 (PDT)
Received: from dm-central-01.central.sun.com ([129.147.62.4]) by sca-ea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id n81Hg5lN009060 for <kitten@ietf.org>; Tue, 1 Sep 2009 17:42:05 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id n81Hg5eg006578 for <kitten@ietf.org>; Tue, 1 Sep 2009 11:42:05 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n81HVB2q008289; Tue, 1 Sep 2009 12:31:11 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n81HVBWJ008288; Tue, 1 Sep 2009 12:31:11 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Tue, 01 Sep 2009 12:31:11 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Michael B Allen <miallen@ioplex.com>
Subject: Re: KITTEN: IETF 75 - 76
Message-ID: <20090901173110.GL1033@Sun.COM>
References: <4A87A69A.3050408@sun.com> <4A87E02D.7030503@isode.com> <200908180013.29152.leifj@mnt.se> <20090901131202.137bdd90.miallen@ioplex.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20090901131202.137bdd90.miallen@ioplex.com>
User-Agent: Mutt/1.5.7i
Cc: kitten@ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2009 17:41:57 -0000

On Tue, Sep 01, 2009 at 01:12:02PM -0400, Michael B Allen wrote:
> On Tue, 18 Aug 2009 00:13:28 +0200
> Leif Johansson <leifj@mnt.se> wrote:
> 
> > > >    2. listing/iterating credentials
> > > >    3. exporting/importing credentials
> > >
> > > I think Leif has expressed interest in (3) before.
> > 
> > That was exporting unfinished contexts actually - slightly different.
> > 
> > >
> > > >    4. error message reporting
> > > >    5. asynchronous calls
> > >
> > > The last 2 are generally required for use by modern applications.
> > 
> > hmm, is asynchronous calls related to exportable contexts perhaps...?
> 
> Exactly they are. To implement async (properly) you would need to be
> able to serialize a context at any step.

Internally, maybe, but as far as the application goes: no.

To me async means a pair of functions called, say,
gss_init_sec_context_async() and gss_accept_sec_context_async() that do
not block, but may return an indication that the call did not complete,
and which provide some way for event notification so that the
application can call them again when they are ready to be called again.

Here's one illustration based on event notification:

	major = gss_init_sec_context_async_event(&minor,
	    cred, &ctx, target, mech, req_flags,
	    GSS_C_INDEFINITE, cb, &input_token, &output_token,
	    &ret_flags, NULL, &event_notification);

	if (major == GSS_S_CONTINUE_NEEDED &&
	    output_token.length == 0) {
		/*
		 * hook event notification and contextual args
		 * to gss_init_sec_context_async() into our event loop
		 * and return.  when the event fires we'll get here
		 * again and call gss_init_sec_context_async() to make
		 * progress.
		 */

		queue_up(&event_notification, cred, &ctx, target, mech,
		    ...);
	}

Here's another based on background threads and a completion callback
instead of an event notification:

	major = gss_init_sec_context_async_cb(&minor,
	    cred, &ctx, target, mech, req_flags,
	    GSS_C_INDEFINITE, cb, &input_token, &output_token,
	    &ret_flags, NULL, cb_func, &cb_data);

	if (major == GSS_S_CONTINUE_NEEDED &&
	    output_token.length == 0) {
		/*
		 * Our callback will get called when
		 * gss_init_sec_context_async_cb() completes its work.
		 * The callback will arrange to get us called again.
		 */
		return (...);
	}

No context serialization needed.

The problem with the event notification variant is that event
notification is very OS-specific, and even library specific (think
kqueues, event ports, poll(), select(), /dev/poll, libevent, ...).  On
Unix and Unix-like systems we can probably make the event_notification
be just an array of file descriptors.

The problem with the callback variant is that it implies a threaded
process model (which I don't mind, but which won't be feasible for some
implementors).

Nico
--

v2.23.0 | Report a Bug | By Email