[OpenAFS-devel] openafs - proposed cache security improvement

Jim Rees rees@umich.edu
Fri, 23 Mar 2007 09:04:40 -0500


Robert Banz wrote:

  I know that this would be an "rx" change, but doing something like an  
  anonymous DH exchange with servers the first time you talk to them  
  would allow you to create a connection that would be resistant to  
  this sort of hijacking.

Yes, but if we're going to change something, I think it would be useful for
the client to authenticate the server.  If it doesn't, I don't see that
we've really improved the situation.