[Freeipa-devel] Planning FreeIPA 4.0 GA

[Alexander Bokovoy]

On Fri, 27 Jun 2014, Simo Sorce wrote:
>On Fri, 2014-06-27 at 19:55 +0300, Alexander Bokovoy wrote:
>> On Fri, 27 Jun 2014, Martin Kosek wrote:
>> >Hello team,
>> >
>> >As we are about to very soon release the FreeIPA 4.0, I triaged all the pending
>> >tickets and divided them to following milestones:
>> >
>> >1) FreeIPA 4.0 GA - last work that is required for the release. When this
>> >milestone is completed, we will release. All tickets in this milestone are thus
>> >the top priority for people working on 4.0 - this applies both for development
>> >and for reviews.
>> Endi found that with TOTP we don't yet enforce a requirement to prevent
>> reuse of OTP code multiple times within the same time step (you are able
>> to login with TOTP and reuse it for password change within 30 seconds,
>> for example). RFC3268 part 5.2 clearly says that the verifier MUST NOT
>> allow this behavior.
>>
>> I'll look into this case on Monday but so far this is a release blocker.
>
>This is a well known limitation.
>
>The reason we allow for it is due to performance issues with replication
>if we did so, we do not have a good way to mark used values in a
>distributed fashion.
Are we willing to release with this limitation? If so, it should be
stated quite clearly in the docs.
-- 
/ Alexander Bokovoy