[OpenAFS-devel] openafs - proposed cache security improvement
Derrick J Brashear
shadow@dementia.org
Fri, 23 Mar 2007 10:43:42 -0400 (EDT)
On Fri, 23 Mar 2007, Jim Rees wrote:
> Robert Banz wrote:
>
> I know that this would be an "rx" change, but doing something like an
> anonymous DH exchange with servers the first time you talk to them
> would allow you to create a connection that would be resistant to
> this sort of hijacking.
>
> Yes, but if we're going to change something, I think it would be useful for
> the client to authenticate the server. If it doesn't, I don't see that
> we've really improved the situation.
This can be done without requiring a large number of clients to be keyed.
If you don't see that as an improvement, um, I guess we have a disconnect.