Re: [kitten] GSS-API and timeouts
William Mills <wmills@yahoo-inc.com> Wed, 04 April 2012 15:41 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B22F21F8581 for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 08:41:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.369
X-Spam-Level:
X-Spam-Status: No, score=-15.369 tagged_above=-999 required=5 tests=[AWL=0.370, BAYES_20=-0.74, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zpCfRmsMg-CA for <kitten@ietfa.amsl.com>; Wed, 4 Apr 2012 08:41:25 -0700 (PDT)
Received: from nm13.bullet.mail.bf1.yahoo.com (nm13.bullet.mail.bf1.yahoo.com [98.139.212.172]) by ietfa.amsl.com (Postfix) with SMTP id C452A21F857D for <kitten@ietf.org>; Wed, 4 Apr 2012 08:41:24 -0700 (PDT)
Received: from [98.139.215.140] by nm13.bullet.mail.bf1.yahoo.com with NNFMP; 04 Apr 2012 15:41:24 -0000
Received: from [98.139.212.201] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 04 Apr 2012 15:41:24 -0000
Received: from [127.0.0.1] by omp1010.mail.bf1.yahoo.com with NNFMP; 04 Apr 2012 15:41:24 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 210649.44218.bm@omp1010.mail.bf1.yahoo.com
Received: (qmail 83859 invoked by uid 60001); 4 Apr 2012 15:41:23 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1333554083; bh=Uyixb41kkHhcrxI0V1O1EbK3Teg91P8PQxKlXDAF3r8=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=LsG+PdQLW/m+TSptIKZ//nEh6xQjhwDaVpnOp3C4TyD+2pFmO77g2bidO+Te2uc8W1ofWGSypSC50G/jXqzzLpnrm+/cEK0Ap2dq7OwqOuMmI9tqJPbtl4Ct/5d2Y85o5PcuAMUWmWi0F0Hwh2c7DKqDxj8bkC/eaWtXUQFCSVs=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=PAuJmCfo1hY7WZtIOqRcjzidZwM5rY2w6xgt53zEQm0g8v6vdt0NdIwwXmFtdpUwmP0DdIOlLkdS+DyBVjaKTjsPRM2mLqrdF2rLIL0fiZe7tTofPerRJoEBipuiWH33C76ofrMj0eRuhhiPOD6YtJ/Dfdjn2aPYT/+s9i/0x7A=;
X-YMail-OSG: HR97fskVM1m8zuO2OU3ggALXiT3SCR0CbQ.ZDNw6.RiTpKO agDWwbmSSB9f5OoN1P7PfnWj_3M._cX16SzYGNTlzY7LyqE606dkc9c.V6Le XKABzKBW4yoz8GH2hcJah.gSnfaIJdMp1iN07XxDTm.AnMauYDdIKm1h_qU1 EeRYBUa81t4J3jWx3jY0XYX8rvyR8HeT37XGUhm75LmT6ooAoa_CHliscLmK yfzDRt0cjG4YNSfbh90k6bMLwsQfa5kCdKAVcXuQaIbdcZq9JYRV7rQULFQ3 DUTuvg6p4096v9ziVtFZulJs1xLZi_w5NsJvRQ1Ty_qqSvBoTVvOoqX9Wo8z a5RSiIlebIAadgiEwOqhS1bZTE9fAZb52rolYmTX4h8ys_SOzNJAJMNlVrov atJ2z3evVWiqDKHe.wIEemQr3A8q_zmNfm3ocxP3Bp6OIEJSAFg--
Received: from [209.131.62.115] by web31804.mail.mud.yahoo.com via HTTP; Wed, 04 Apr 2012 08:41:23 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.117.340979
References: <87obr7lfqc.fsf@latte.josefsson.org>
Message-ID: <1333554083.71760.YahooMailNeo@web31804.mail.mud.yahoo.com>
Date: Wed, 04 Apr 2012 08:41:23 -0700
From: William Mills <wmills@yahoo-inc.com>
To: Simon Josefsson <simon@josefsson.org>, "kitten@ietf.org" <kitten@ietf.org>
In-Reply-To: <87obr7lfqc.fsf@latte.josefsson.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="835683298-493646663-1333554083=:71760"
Subject: Re: [kitten] GSS-API and timeouts
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2012 15:41:26 -0000
As a result of the OpenID flow/redirect don't you get a complete credential that can be used to finish the process? Can't you connect again, get a challenge perhaps, submit that completed credential and be done? That's very similar to what I did in the OAUTH/SASL thing, so I'm replaying my one trick :) >________________________________ > From: Simon Josefsson <simon@josefsson.org> >To: kitten@ietf.org >Sent: Wednesday, April 4, 2012 7:43 AM >Subject: [kitten] GSS-API and timeouts > >When implementing the GSS-API part of OPENID20/SAML20 I noticed that the >processes can hang waiting for a long time. Server may want to wait one >minute or more to allow a user to finish the IdP authentication. > >I think Nico discussed asynchronous GSS-API before. However it is a >significant amount of work to specify and implement. I think it is >simpler for applications to create a separate process or thread for the >GSS-API part, and to enforce its own timeouts. Sometimes there are >other reasons for having separate processes/threads anyway. > >Still, even an asynchronous interface may want to use some timeouts >where authentication is no longer expected to ever finish. So it is not >clear that an asynchronous interface is the solution to this problem. > >Does anyone have any thoughts on what a reasonable timeout should be? > >Or should GSS-API initiators and acceptors never timeout, but just hang >indefinitely in case the authentication eventually completes? > >Of course, we could have a new GSS-API interface to enforce a timeout. >For example: > > OM_uint32 > gss_sec_context_timeout (OM_uint32 *minor_status, > OM_uint32 timeout); > >or something more general, in case there are similar concerns for other >functions: > > > OM_uint32 > gss_set_timeouts (OM_uint32 *minor_status, > OM_uint32 sec_context_timeout, > OM_uint32 micwrap_timeout); > >FWIW, in my implementation I'll probably use a 5 minute timeout or >something like that. > >/Simon >_______________________________________________ >Kitten mailing list >Kitten@ietf.org >https://www.ietf.org/mailman/listinfo/kitten > > >
- Re: [kitten] GSS-API and timeouts Martin Rex
- [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts William Mills
- Re: [kitten] GSS-API and timeouts Simo Sorce
- Re: [kitten] GSS-API and timeouts Nico Williams
- Re: [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts Martin Rex
- Re: [kitten] GSS-API and timeouts Nico Williams
- Re: [kitten] GSS-API and timeouts Nico Williams
- Re: [kitten] GSS-API and timeouts William Mills
- Re: [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts Simon Josefsson
- Re: [kitten] GSS-API and timeouts Russ Allbery
- Re: [kitten] GSS-API and timeouts Nico Williams
- Re: [kitten] GSS-API and timeouts Luke Howard
- Re: [kitten] GSS-API and timeouts Russ Allbery