|
Hi Joe, I think what you said makes sense. Since the time synchronization could be found in clients, I think a better way is: - If the TTL < 10 min: The timelife is [-ttl/2 , ttl/2]
- Else The timelife is [ -5 min, ttl-5 min]
So, for my example, a security token issued at 9:01: - If the TTL is 10 min, it will be valid from 8:56 to 9:04. - If the TTL is 15 min, it will be valid from 8:56 to 9:11. This option is used by default. - If the TTL is 1 day (1440 minutes), it will be valid from 8:56 to 8:56 of the next day.
Regards El 03/03/2008, a las 16:12, Joe Metzger escribió: Candido, I think this approach of shifting the TTL to deal with clock skew will lead to more problems. If people who have good clocks ask for a 10 minute TTL, they will consider it an error if their tokens start failing in 5 minutes.
I would prefer to see a fudge-factor which is equal to the maximum allowable skew added to both ends of the window, instead of shifting the entire window.
If all the code that is generating and checking the timing is on perfSONAR servers, then I think a fudge factor of 10-20 seconds is sufficent. If it is on end user machines, then we should probably bump it up to 2-5 minutes.
--Joe
On Mar 3, 2008, at 6:51 AM, Cándido Rodríguez Montes wrote:
Hi Nina and others, I've just uploaded a new version of perfsonar-base and perfsonar-base-ac_authn (20080303) which does a workaround about the timestamp. When a security token is created, it puts when it was created and when it will be expired. The theory is really pretty, but in our real world, we have a problem is if the time clock of the client is different of the time clock of the AS. Why? Because, for example, if the time clock of the AS is 9:00 and the time clock of the client is 9:01, the security token will be valid from 9:01 to 9:11. So, the AS won't valid the security token because 9:00 is not between 9:01 and 9:11. Then, what have I changed? With the new version of those jar files, in that example, the security token will be valid from 8:56 to 9:06. It gets the Time To Live (ttl) of the security token (by default is 10 minutes but you can set it programatically) and the security token is valid from (actual_time-(ttl/2)) to (actual_time+(ttl/2)). I hope this fixes the problem of not having the same clock time between clients and the AS and users don't experience this problem.
Regards
El 27/02/2008, a las 16:47, Nina Jeliazkova escribió:
Hi Cándido,
I've tried to use the new perfsonar base in perfsonarUI, but when testing with Telnet SSH, I am getting the error message below. Could you tell me the reason?
<?xml version="1.0" encoding="UTF-8"?> <nmwg:metadata id="resultCodeMetadata"> <nmwg:eventType>error.authn.timestamp</nmwg:eventType> </nmwg:metadata> <nmwg:data id="resultDescriptionData_for_resultCodeMetadata" metadataIdRef="resultCodeMetadata"> </nmwg:data> </nmwg:message>
Regards, Nina
Cándido Rodríguez Montes написа:
Hi devs, There is a new version of perfsonar-base, 20080225, which should be used if you're using the authentication component in your service. This release fixs a problem with the WE profile. Please, update your perfSONAR-base jar file ASAP, so testing process can include tests of the WE profile for your service.
Regards
-- Cándido Rodríguez Montes E-mail: Middleware warrior Tel:+34 955 05 66 13 Red.ES/RedIRIS Edificio CICA Avenida Reina Mercedes, s/n 41012 Sevilla SPAIN
-- --------------------------------- Dr. Nina Nikolova-Jeliazkova Institute for Parallel Processing Bulgarian Academy of Sciences Acad. G. Bonchev St 25-A 1113 Sofia, Bulgaria Tel: +359 886 802011 ICQ: 10705013 www: http://ambit.acad.bg/nina --------------------------------- PGP Public Key http://cert.acad.bg/pgp-keys/keys/nina-nikolova-0xEEABA669.asc 8E99 8BAD D804 1A43 27B7 7F87 CF04 C7D1 EEAB A669 ---------------------------------------------------------------
-- Cándido Rodríguez Montes E-mail: Middleware warrior Tel:+34 955 05 66 13 Red.ES/RedIRIS Edificio CICA Avenida Reina Mercedes, s/n 41012 Sevilla SPAIN
-- Cándido Rodríguez Montes E-mail: Middleware warrior Tel:+34 955 05 66 13 Red.ES/RedIRIS Edificio CICA Avenida Reina Mercedes, s/n 41012 Sevilla SPAIN
|
