Re: KITTEN: IETF 75 - 76

To: Love Hörnquist Åstrand <lha at kth.se>
Subject: Re: KITTEN: IETF 75 - 76
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Tue, 1 Sep 2009 16:38:53 -0500
Cc: "kitten at ietf.org" <kitten at ietf.org>
Delivered-to: kitten at core3.amsl.com
In-reply-to: <396484EF-9812-40CE-9221-F1A1319FD10B at kth.se>
List-archive: <http://www.ietf.org/mail-archive/web/kitten>
List-help: <mailto:kitten-request@ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-post: <mailto:kitten@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
References: <4A87A69A.3050408 at sun.com> <4A87E02D.7030503 at isode.com> <200908180013.29152.leifj at mnt.se> <20090901131202.137bdd90.miallen at ioplex.com> <20090901173110.GL1033 at Sun.COM> <396484EF-9812-40CE-9221-F1A1319FD10B at kth.se>
User-agent: Mutt/1.5.7i

On Tue, Sep 01, 2009 at 02:27:04PM -0700, Love Hörnquist Åstrand wrote:
> >Here's another based on background threads and a completion callback
> >instead of an event notification:
> >
> >	major = gss_init_sec_context_async_cb(&minor,
> >	    cred, &ctx, target, mech, req_flags,
> >	    GSS_C_INDEFINITE, cb, &input_token, &output_token,
> >	    &ret_flags, NULL, cb_func, &cb_data);
> 
> The callback should take all output variables, for example:

As I imagined it the callback would only be to indicate that GISCACB()
must get called again to complete its work.  (And it might well need
fail to complete at that point.

Think of krb5_gisc: it may need to do multiple DNS lookups, and multiple
TGS exchanges; each time that some I/O is ready that it needs it could
call the callback, the app then calls back into GISCACB(), krb5_gisc
makes some progress, and if it'd block then it returns continue-needed
without an output token.  Lather, rinse, repeat.

I like it better that way.  If we add a new version of GISC with new
outputs we'll need not only a new GISC_async, but also a new callback
function prototype.  Having the callback lead to the application calling
GISCACB() again seems reasonable and simple enough to me.  I'm not
wedded to this, but it does seem simpler.

The callback in the credential iterator can be the way you propose.
That's because it doesn't need every output of gss_inquire_cred*(), just
a cred handle and mechanism OID, and it can find the rest from that.

Nico
--

References:
- KITTEN: IETF 75 - 76
  - From: Shawn M Emery
- Re: KITTEN: IETF 75 - 76
  - From: Alexey Melnikov
- Re: KITTEN: IETF 75 - 76
  - From: Leif Johansson
- Re: KITTEN: IETF 75 - 76
  - From: Michael B Allen
- Re: KITTEN: IETF 75 - 76
  - From: Nicolas Williams
- Re: KITTEN: IETF 75 - 76
  - From: Love Hörnquist Åstrand

Prev by Date: Re: KITTEN: IETF 75 - 76
Next by Date: Re: KITTEN: IETF 75 - 76
Previous by thread: Re: KITTEN: IETF 75 - 76
Next by thread: Re: KITTEN: IETF 75 - 76
Index(es):
- Date
- Thread

Re: KITTEN: IETF 75 - 76

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.