On Fri, 27 Jun 2014, Simo Sorce wrote:
On Fri, 2014-06-27 at 19:55 +0300, Alexander Bokovoy wrote:
On Fri, 27 Jun 2014, Martin Kosek wrote:
>Hello team,
>
>As we are about to very soon release the FreeIPA 4.0, I triaged all the pending
>tickets and divided them to following milestones:
>
>1) FreeIPA 4.0 GA - last work that is required for the release. When this
>milestone is completed, we will release. All tickets in this milestone are thus
>the top priority for people working on 4.0 - this applies both for development
>and for reviews.
Endi found that with TOTP we don't yet enforce a requirement to prevent
reuse of OTP code multiple times within the same time step (you are able
to login with TOTP and reuse it for password change within 30 seconds,
for example). RFC3268 part 5.2 clearly says that the verifier MUST NOT
allow this behavior.
I'll look into this case on Monday but so far this is a release blocker.
This is a well known limitation.
The reason we allow for it is due to performance issues with replication
if we did so, we do not have a good way to mark used values in a
distributed fashion.
Are we willing to release with this limitation? If so, it should be
stated quite clearly in the docs.
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
