Issue 1661: Extension to SecurityContext to support SECIOP::DiscardContext (sec-rev) Source: (, ) Nature: Uncategorized Issue Severity: Summary: Summary: I believe the SecurityContext interface needs to be extended to properly support the SECIOP::DiscardContext message. Resolution: :DiscardContext message. Revised Text: Actions taken: July 10, 1998: received issue November 13, 1998: closed issue Discussion: received issue End of Annotations:===== Return-Path: X-Sender: nick@192.92.110.1 Date: Thu, 09 Jul 1998 16:50:25 -0400 To: sec-rev@omg.org From: Nick Brachet Subject: Extension to SecurityContext to support SECIOP::DiscardContext Hi all, I believe the SecurityContext interface needs to be extended to properly support the SECIOP::DiscardContext message. Here's a suggestion: module SecurityReplaceable { interface SecurityContext { Security::AssociationStatus discard_security_context ( out Security::Opaque discard_context_token ); void process_context_token ( in Security::Opaque discard_context_token ); ... } } discard_security_context() is called when the context is discarded. It may generate a discard_context_token to be send in a SECIOP::DiscardContext message. When receiving a SECIOP::DiscardContext message the discard_context_token is delivered to process_context_token(). Nick. --- Houston this is a quick-a** ride! Return-Path: To: Nick Brachet Cc: sec-rev@omg.org Subject: Re: Extension to SecurityContext to support SECIOP::DiscardContext Reply-To: andre@inprise.com X-Disclaimer: These are my statements and opinions. Mine Mine Mine Mine. X-Disclaimer: To assume or infer that these statements represent X-Disclaimer: Inprise Corporation would be, without a doubt, your error. Date: Fri, 10 Jul 1998 09:22:33 -0700 From: "Andre Srinivasan" NB> I believe the SecurityContext interface needs to be extended to NB> properly support the SECIOP::DiscardContext message. ... NB> discard_security_context() is called when the context is NB> discarded. It may generate a discard_context_token to be send in a NB> SECIOP::DiscardContext message. NB> When receiving a SECIOP::DiscardContext message the NB> discard_context_token is delivered to process_context_token(). Why not treat the context in a way similar to SSL. The server retains a certain number (n >= 0) of sessions that may get cleaned up over time. The client may attempt to continue an existing session but may be told that it needs to negotiate a new one. -andre. Return-Path: X-Sender: nick@192.92.110.1 Date: Mon, 13 Jul 1998 12:43:10 -0400 To: andre@inprise.com From: Nick Brachet Subject: Re: Extension to SecurityContext to support SECIOP::DiscardContext Cc: sec-rev@omg.org References: At 12:22 PM 7/10/98 , Andre Srinivasan wrote: >Why not treat the context in a way similar to SSL. The server retains >a certain number (n >= 0) of sessions that may get cleaned up over >time. The client may attempt to continue an existing session but may >be told that it needs to negotiate a new one. How is a client told to negotiate a new context? The server sends a DiscardContext message. That message includes a discard_context_token. [In the case of GSS-API, the call to gss_delete_context() can return a token to be passed to the peer, which in turn calls gss_process_context_token() with the token.] Currently there's no way to generate or process such tokens. Nick. --- Houston this is a quick-a** ride!