[OpenAFS-devel] Re: openafs - proposed cache security improvement

Adam Megacz megacz@cs.berkeley.edu
Fri, 23 Mar 2007 12:38:59 -0700


Robert Banz wrote:
> There's also the approach ssh takes -- the first time you contact
> the server (ever) we store the server's "key", and keep it around.
> If something funky DOES happen at some point, you'll know somethin's
> wrotten...

This sounds really nice.  One concern, though: how is the user alerted
to this fact, and how does the user indicate "yes, it's okay to accept
a new server key" without root access on the client?  SSH has no
kernel component, so this sort of decision can be made individually by
each local user on the client.  For the CM it appears that the
decision would be made on a per-client basis, not a per-client-user
basis.


Jim Rees <rees@umich.edu> writes:
> Of course it's an improvement.  I'm just not convinced that making afs
> depend on public key infrastructure is the price I want to pay for this.

I think there's some confusion here about public-key *technology*
(algorithms such as RSA, DSA) and public-key *infrastructure* (CA's
and roles such as verisign's).  A good example of the distinction is
SSH, which uses the former but not the latter.

I don't think anybody is suggesting reliance on public-key
*infrastructure*.

  - a

-- 
PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380