Received: from lon-mail-1.gradwell.net (lon-mail-1.gradwell.net [193.111.201.125]) by krbdev.mit.edu (8.9.3p2) with ESMTP id FAA17978; Fri, 8 Sep 2006 05:33:08 -0400 (EDT) Received: from adsl-212-20-248-63.lumison.co.uk ([212.20.248.63] helo=[192.168.0.180] country=GB ident=simon#pop3$sxw*org*uk) by lon-mail-1.gradwell.net with esmtpa (Gradwell gwh-smtpd 1.232) id 450138ce.548a.885 for rt@krbdev.mit.edu; Fri, 8 Sep 2006 10:33:02 +0100 (envelope-sender ) MIME-Version: 1.0 (Apple Message framework v752.2) Content-Transfer-Encoding: 7bit Message-Id: Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: rt@krbdev.mit.edu From: Simon Wilkinson Subject: Re: [krbdev.mit.edu #4222] GSSAPI context being destroyed when ticket cache renewed Date: Fri, 8 Sep 2006 10:32:59 +0100 X-Mailer: Apple Mail (2.752.2) RT-Send-Cc: X-RT-Original-Encoding: us-ascii Content-Length: 1079 As the person quoted right at the beginning, I should probably contribute my findings here. I don't believe that ticket refresh is an issue. I can quite happily refresh, destroy, or replace my Kerberos credentials from under a running GSSAPI context, without causing that context to break. The issue (if there is an issue) is that Heimdal and MIT's behaviour differ when the initiator's credentials do actually expire. Heimdal allows the context to continue to be used for wrapping operations past expiry - MIT expires the context, and calls to wrap() or unwrap () fail. This difference in behaviour is an issue when using SASL applications with security layers, as the only way to renew the context is to reconnect to the server. In addition, many applications have inadequate error handling around their security layer implementations. I suspect that the current MIT behaviour is correct. Whilst there's no explicit language in RFC2743, it suggests that the length of time for which the context will be valid depends on credential lifetime. Simon.