On 27.6.2014 19:00, Simo Sorce wrote:
On Fri, 2014-06-27 at 19:55 +0300, Alexander Bokovoy wrote:
On Fri, 27 Jun 2014, Martin Kosek wrote:
Hello team,
As we are about to very soon release the FreeIPA 4.0, I triaged all the pending
tickets and divided them to following milestones:
1) FreeIPA 4.0 GA - last work that is required for the release. When this
milestone is completed, we will release. All tickets in this milestone are thus
the top priority for people working on 4.0 - this applies both for development
and for reviews.
Endi found that with TOTP we don't yet enforce a requirement to prevent
reuse of OTP code multiple times within the same time step (you are able
to login with TOTP and reuse it for password change within 30 seconds,
for example). RFC3268 part 5.2 clearly says that the verifier MUST NOT
allow this behavior.
I'll look into this case on Monday but so far this is a release blocker.
This is a well known limitation.
The reason we allow for it is due to performance issues with replication
if we did so, we do not have a good way to mark used values in a
distributed fashion.
It's for the same reason that we have not implemented HOTP yet.
Not entirely true:
http://www.redhat.com/archives/freeipa-devel/2014-January/msg00069.html
Simo.
--
Petr Vobornik
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
