[Freeipa-devel] Planning FreeIPA 4.0 GA
Petr Vobornik
pvoborni at redhat.com
Fri Jun 27 17:19:41 UTC 2014
On 27.6.2014 19:00, Simo Sorce wrote:
> On Fri, 2014-06-27 at 19:55 +0300, Alexander Bokovoy wrote:
>> On Fri, 27 Jun 2014, Martin Kosek wrote:
>>> Hello team,
>>>
>>> As we are about to very soon release the FreeIPA 4.0, I triaged all the pending
>>> tickets and divided them to following milestones:
>>>
>>> 1) FreeIPA 4.0 GA - last work that is required for the release. When this
>>> milestone is completed, we will release. All tickets in this milestone are thus
>>> the top priority for people working on 4.0 - this applies both for development
>>> and for reviews.
>> Endi found that with TOTP we don't yet enforce a requirement to prevent
>> reuse of OTP code multiple times within the same time step (you are able
>> to login with TOTP and reuse it for password change within 30 seconds,
>> for example). RFC3268 part 5.2 clearly says that the verifier MUST NOT
>> allow this behavior.
>>
>> I'll look into this case on Monday but so far this is a release blocker.
>
> This is a well known limitation.
>
> The reason we allow for it is due to performance issues with replication
> if we did so, we do not have a good way to mark used values in a
> distributed fashion.
>
> It's for the same reason that we have not implemented HOTP yet.
Not entirely true:
http://www.redhat.com/archives/freeipa-devel/2014-January/msg00069.html
>
> Simo.
>
--
Petr Vobornik
More information about the Freeipa-devel
mailing list