Re: KITTEN: IETF 75 - 76

To: Love Hörnquist Åstrand <lha at kth.se>
Subject: Re: KITTEN: IETF 75 - 76
From: Michael B Allen <miallen at ioplex.com>
Date: Tue, 1 Sep 2009 18:13:07 -0400
Cc: "kitten at ietf.org" <kitten at ietf.org>, Nicolas Williams <Nicolas.Williams at sun.com>
Delivered-to: kitten at core3.amsl.com
In-reply-to: <396484EF-9812-40CE-9221-F1A1319FD10B at kth.se>
List-archive: <http://www.ietf.org/mail-archive/web/kitten>
List-help: <mailto:kitten-request@ietf.org?subject=help>
List-id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-post: <mailto:kitten@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
Organization: IOPLEX Software
References: <4A87A69A.3050408 at sun.com> <4A87E02D.7030503 at isode.com> <200908180013.29152.leifj at mnt.se> <20090901131202.137bdd90.miallen at ioplex.com> <20090901173110.GL1033 at Sun.COM> <396484EF-9812-40CE-9221-F1A1319FD10B at kth.se>

On Tue, 01 Sep 2009 14:27:04 -0700
Love Hörnquist Åstrand <lha at kth.se> wrote:

> 
> 1 sep 2009 kl. 10:31 skrev Nicolas Williams:
> 
> > Here's another based on background threads and a completion callback
> > instead of an event notification:
> >
> > 	major = gss_init_sec_context_async_cb(&minor,
> > 	    cred, &ctx, target, mech, req_flags,
> > 	    GSS_C_INDEFINITE, cb, &input_token, &output_token,
> > 	    &ret_flags, NULL, cb_func, &cb_data);
> 
> The callback should take all output variables, for example:
> 
> OM_uint32
> gss_acquire_cred_ex_f(gss_status_id_t /* status */,
> 		      const gss_name_t /* desired_name */,
> 		      OM_uint32 /* flags */,
> 		      OM_uint32 /* time_req */,
> 		      const gss_OID /*desired_mech */,
> 		      gss_cred_usage_t /* cred_usage */,
> 		      gss_auth_identity_t /* identity */,
> 		      void * /* ctx */,
> 		      void (* /* complete */)(void *, OM_uint32, gss_status_id_t,  
> gss_cred_id_t, gss_OID_set, OM_uint32));

Holy moses that's complicated. Do you really need callbacks? Why not just have a flag like GSS_C_NOWAIT that indicates the call should return immediately even if the overall operation has not completed yet? If the status indicates more processing is required (EAGAIN for C binding for example) it means that you need to call it again later. I use this technique in my own stuff and the implementation turns out to be surprisingly clean.

Also note that in an HTTP server if you cannot serialize the context while juggle concurrent authentications you may have to commit to using resources unnecessarily (such as processes on UNIX). That was my primary thought when I first posted to this thread. It's not clear to me that your model would help that scenario and that scenario is fairly important IMO. Would callbacks work with a stateless transport like HTTP?

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

Follow-Ups:
- Re: KITTEN: IETF 75 - 76
  - From: Love Hörnquist Åstrand

References:
- KITTEN: IETF 75 - 76
  - From: Shawn M Emery
- Re: KITTEN: IETF 75 - 76
  - From: Alexey Melnikov
- Re: KITTEN: IETF 75 - 76
  - From: Leif Johansson
- Re: KITTEN: IETF 75 - 76
  - From: Michael B Allen
- Re: KITTEN: IETF 75 - 76
  - From: Nicolas Williams
- Re: KITTEN: IETF 75 - 76
  - From: Love Hörnquist Åstrand

Prev by Date: Re: KITTEN: IETF 75 - 76
Next by Date: Re: KITTEN: IETF 75 - 76
Previous by thread: Re: KITTEN: IETF 75 - 76
Next by thread: Re: KITTEN: IETF 75 - 76
Index(es):
- Date
- Thread

Re: KITTEN: IETF 75 - 76

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.