[AFS3-std] New Version Notification for draft-wilkinson-afs3-rxgk-06.txt (fwd)

Simon Wilkinson simon@sxw.org.uk
Thu, 11 Jul 2013 20:50:41 +0100


On 11 Jul 2013, at 20:40, Benjamin Kaduk <kaduk@mit.edu> wrote:
> In practice, this probably means that you can't call GSSNegotiate =
against one vlserver and then try to finish against a different =
vlserver.

You definitely want to disallow this. In fact, you want to require that =
all of the GSSNegotiate calls for a given context occur on the same =
connection.

> My rough plan for implementing multi-round-trip mechanisms on the =
server-side was to cache partially-constructed GSS security contexts, =
with a cap on how many can be cached at once and an expiration timer on =
them. That would eliminate any need to either export/import the =
partially-constructed context or replay GSS tokens.

With the OpenAFS RX stack, you can just use connection specific objects =
to store the partially built security contexts. These will then be =
disposed of when the connection is destroyed - you don't need to use the =
opaque objects at all, unless you want to support establishing multiple =
contexts simultaneously over the same connection.

Cheers,

Simon