[krbdev.mit.edu #2620] Don't expire contexts when tickets expire

DEEngert@anl.gov via RT rt-comment at krbdev.mit.edu
Wed Jul 7 08:29:44 EDT 2004 



Nicolas Williams via RT wrote:
> 
> On Tue, Jul 06, 2004 at 01:46:02PM -0400, Sam Hartman via RT wrote:
> > >>>>> "Nicolas" == Nicolas Williams via RT <rt-comment at krbdev.mit.edu> writes:
> >
> >     Nicolas> Summary: Find a way to make context non-expiration
> >     Nicolas> optional.  I don't think you will find a way to do so
> >     Nicolas> safely with the Kerberos V mechanism as it stands
> >     Nicolas> (rfc1964 and CFX).
> >
> > On the principle of those who care about a feature should figure out
> > how to make it work, I'm interested in hearing suggestions from you on
> > how to make this feature be optional.  I believe I require that the
> > default behavior be non-expiring contexts because I believe that
> > creates a more usable experience.
> 
> You can't have that default.  Deployed GSS applications rely on the
> current default behaviour (expiring), thus we can't change it.


Not so. You have made the assumptions that the lifetime of a connection
is somehow tied to the lifetime of the credentials. But this is an 
mechanisum specifice decision. So for Kerberos unless it is documented 
in some Kerberos GSS standard that says this is so, it is undefined.
(I am on vacation, so will let you check if this is documented.) 
So an implementation of a mech could chose to set the lifetime of the 
conection it anything it wanted.   

> 
> > If you don't come up with a good solution it probably will not be
> > optional at least in the first cut.
> 
> You are proposing the change, not I, thus the onus of working out a
> proposal that wouldn't break existing applications is on you.
> 
> That said, I won't mind helping to design this extension.
> 
> Nico
> --
> 
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krb5-bugs

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krb5-bugs mailing list