--On Friday, September 08, 2006 5:33 AM -0400 Simon Wilkinson via RT wrote: > As the person quoted right at the beginning, I should probably > contribute my findings here. > > I don't believe that ticket refresh is an issue. I can quite happily > refresh, destroy, or replace my Kerberos credentials from under a > running GSSAPI context, without causing that context to break. > > The issue (if there is an issue) is that Heimdal and MIT's behaviour > differ when the initiator's credentials do actually expire. Heimdal > allows the context to continue to be used for wrapping operations > past expiry - MIT expires the context, and calls to wrap() or unwrap > () fail. This difference in behaviour is an issue when using SASL > applications with security layers, as the only way to renew the > context is to reconnect to the server. In addition, many applications > have inadequate error handling around their security layer > implementations. > > I suspect that the current MIT behaviour is correct. Whilst there's > no explicit language in RFC2743, it suggests that the length of time > for which the context will be valid depends on credential lifetime. Thanks Simon for the follow-up. So it sounds like then, the error here really is inside cyrus-sasl then? --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html