IETF Logo Mail Archive

Re: [kitten] GSS-API and timeouts

Nico Williams <nico@cryptonector.com> Wed, 04 April 2012 17:32 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C35D21F86DA for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 10:32:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.736
X-Spam-Level:
X-Spam-Status: No, score=-1.736 tagged_above=-999 required=5 tests=[AWL=0.241, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PUMqkMR90+am for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 10:32:20 -0700 (PDT)
Received: from homiemail-a28.g.dreamhost.com (caiajhbdcbhh.dreamhost.com [208.97.132.177]) by ietfa.amsl.com (Postfix) with ESMTP id 114F121F86CE for <kitten@ietf.org>; Wed, 4 Apr 2012 10:32:20 -0700 (PDT)
Received: from homiemail-a28.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a28.g.dreamhost.com (Postfix) with ESMTP id 957DF1B407B for <kitten@ietf.org>; Wed, 4 Apr 2012 10:32:19 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=Mrrude7NOVNDTPebcZIbiVfkGicIQ5DAVr+yVqy8kLNL 2MApY3Ir7v0Wz8UAz1PctH/7IZHYhD6lZ1zfDH8cG/Yjvx1Ts1flUJXIh4RsQt+D TSLV3Lq/doFzVq2vWfc8ZV/ZbzKJurXzm6PgVB40hBLgY2v3v3pbkIuVurWTMzM=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=6AL/d04U3CN1pWnUEUewUu3RQpg=; b=iAWpes9t517 ZPtS3cmA93ynJj0pAKw1bcdcqFpIfnYC/MkT5P3Tuv6md1lbJ0l2sJBEl0xlrNwz ZVP+9GyrsZHenX0QOxtHl+5JPi59x54sVL2vRmiWjIRk5kxhWywWQoNnRufYAXCx WnwNl7zyFyIJcPYo3vWNWQiYUCtHkbjk=
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a28.g.dreamhost.com (Postfix) with ESMTPSA id 71E831B406B for <kitten@ietf.org>; Wed, 4 Apr 2012 10:32:19 -0700 (PDT)
Received: by pbbrq13 with SMTP id rq13so510265pbb.31 for <kitten@ietf.org>; Wed, 04 Apr 2012 10:32:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.219.3 with SMTP id pk3mr23945312pbc.34.1333560739032; Wed, 04 Apr 2012 10:32:19 -0700 (PDT)
Received: by 10.68.28.6 with HTTP; Wed, 4 Apr 2012 10:32:18 -0700 (PDT)
In-Reply-To: <201204041730.q34HUtU1005681@fs4113.wdf.sap.corp>
References: <87obr7lfqc.fsf@latte.josefsson.org> <201204041730.q34HUtU1005681@fs4113.wdf.sap.corp>
Date: Wed, 04 Apr 2012 12:32:18 -0500
Message-ID: <CAK3OfOjhLA7erBzCaL_4S-eiT_V5+CX4EzE8RX4QXjFCF9wDuA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: mrex@sap.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: kitten@ietf.org, Simon Josefsson <simon@josefsson.org>
Subject: Re: [kitten] GSS-API and timeouts
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2012 17:32:20 -0000

On Wed, Apr 4, 2012 at 12:30 PM, Martin Rex <mrex@sap.com> wrote:
> Simon Josefsson wrote:
>>
>> When implementing the GSS-API part of OPENID20/SAML20 I noticed that the
>> processes can hang waiting for a long time.  Server may want to wait one
>> minute or more to allow a user to finish the IdP authentication.
>
> What kind of waiting are you thinking of here?
>
> Isn't this waiting for the initiator to send outstanding context tokens,
> which by itself is asynchronous, rather than the server blocking on
> a gss_accept_sec_context() call?

No, Simon's talking about waiting for messages to infrastructure, like
Kerberos KDCs, OCSP responders / CRL servers, RADIUS, IdPs, ...
Things the GSS-API does not expose.

Nico
--

v2.23.0 | Report a Bug | By Email