1) The behavior I expect is as follows: at startup, the identity
selector picks
the first identity in the id card list to assign as the 'default_id_card'.
Thereafter, whenever the user clicks the 'send' button on an identity,
that identity becomes the new default_id_card.
2) The only reason I know of for the existence of the default_id_card is
to support gss_inquire_cred() on a credential that has never been used
with gss_init_sec_context(). I don't know of a practical use for it.
Kevin Wasserman
Painless Security
On 3/18/2014 5:57 AM, Alejandro Perez Mendez wrote:
> Hi all,
>
> looking around the moonshot-ui code I just realized the existence of
> both, moonshot_get_id, and moonshot_get_default_id methods. As far as I
> understand, the former follows the typical procedure to get an ID card
> to be used with the selected RP (i.e. use one existing ID<->RP
> association, or launch the UI to create one). However, the latter seems
> to try to return the last used ID (stored in the "default_id_card"
> variable).
>
> However, I've been playing with this function, and I have some doubts
> about how it works. I hope anyone can help me understanding it:
>
> 1) The moonshot-ui seems to update the default_id_card variable after a
> card is selected on the UI. However, this does not assure this variable
> contains last used ID, as it is possible that a user makes use of a
> different identity for which an association exists. In that case, the UI
> is not shown, and the variable is not updated.
>
> Ej. User [log in to unmask] in the UI -> default_id_card =
> [log in to unmask]
> Then, the user accesses a server for which [log in to unmask] was
> configured -> default_id_card [log in to unmask]
> Therefore, subsequent calls to moonshot_get_default_id will return
> [log in to unmask] instead [log in to unmask]
>
> Is this the expected behaviour or is it a bug?
>
> 2) What's the purpose of this method anyway? Is it used under any
> circumstance from mech_eap? I've seen some code in util_cred.c, but it
> is unclear to me what it is supposed to do. When one tries to access a
> new server which has not previous association with you, the default ID
> (previous ID) is not sent. Instead, the UI pops up.
>
> Regards,
> Alejandro
|