[OpenAFS-devel] openafs - proposed cache security improvement
Marcus Watts
mdw@umich.edu
Thu, 29 Mar 2007 01:10:50 -0500
Jeffrey Hutzelman <jhutz@cmu.edu> writes:
> > Incidentally, the particular problem Marcus posits here is one we
> > considered, and for which rxgk has an obvious solution in the form of its
> > combine-tokens operation. I do not think it would be appropriate at this
> > point in time to attempt to add this functionality to rxkad.
>
> Oh, BTW, this approach lends itself quite easily to situations in which the
> individual client hosts do not have keys, by giving the server a public key
> and authenticating rxgk token establishment with PKU2U instead of GSS-krb5.
Is this
draft-zhu-pku2u-01.txt ?
If so, besides the obvious problems, this seems to depend on
x509 certificates on both sides. So far, nobody else here has
sounded at all enthusiastic about x509 certificates for either side.
-Marcus Watts