Re: KITTEN: IETF 75 - 76

To: Nicolas.Williams at sun.com (Nicolas Williams)
Subject: Re: KITTEN: IETF 75 - 76
From: Martin Rex <Martin.Rex at sap.com>
Date: Tue, 18 Aug 2009 01:10:08 +0200 (MEST)
Cc: kitten at ietf.org, Shawn.Emery at sun.com
Delivered-to: kitten at core3.amsl.com
In-reply-to: <20090817222500.GC1043 at Sun.COM> from "Nicolas Williams" at Aug 17, 9 05:25:01 pm
List-archive: <http://www.ietf.org/mail-archive/web/kitten>
List-help: <mailto:kitten-request@ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-post: <mailto:kitten@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com

Nicolas Williams wrote:
> 
> > 
> > hmm, is asynchronous calls related to exportable contexts perhaps...?
> 
> No.  Think of how gss_init_sec_context() and gss_accept_sec_context()
> can go off and do things like: DNS lookups, TGS exchanges, certificate
> validation (including OSCP and/or CRL checking), ...  All those tasks
> must complete before those functions can return, but each of those tasks
> can take a long time to complete or fail to complete.
> 
> I.e., we want versions of gss_init/accept_sec_context() that will do as
> much work as they can, then return without necessarily completing their
> work, instead returning some completion event object so the application
> can wait for completion in its event loop.
> 
> The basic problem here are is that async APIs tend to be very
> OS-specific.  But I think we can still have an OS-agnostic design IF we
> can rely on background threads (i.e., on a multi-threaded process
> model).  Relying on bg-threads might not be feasible on systems where a
> multi-threaded process model can't be relied upon (well, on such systems
> the async functions can just always operate synchronously when called in
> a single-threaded process).

To me that sounds like barking up the wrong tree.

If an application does not want to get blocked, it should use
seperate threads for the UI and other events that it does want
to do in parallel.  The application should take care about
and have control over each an every thread in a process.
Having service APIs create additional threads invisible to
the application will open a huge can of worms.

Maybe you want an API to specify timeouts after which a
gssapi call should give up and return an error?  Ideally,
that should already be configurable in an implementation specific
fashion (but often is not).

-Martin

Follow-Ups:
- Re: KITTEN: IETF 75 - 76
  - From: Nicolas Williams

References:
- Re: KITTEN: IETF 75 - 76
  - From: Nicolas Williams

Prev by Date: Re: KITTEN: IETF 75 - 76
Next by Date: Re: KITTEN: IETF 75 - 76
Previous by thread: Re: KITTEN: IETF 75 - 76
Next by thread: Re: KITTEN: IETF 75 - 76
Index(es):
- Date
- Thread

Re: KITTEN: IETF 75 - 76

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.