[OpenAFS] Re: why kerberos only works in monolithic organizations

Adam Megacz megacz@cs.berkeley.edu
Thu, 29 Dec 2005 23:26:11 -0800


Jeffrey Altman <jaltman@secure-endpoints.com> writes:
> In any case, this is not the biggest impediment to OpenAFS adoption.
> If you can obtain a domain name and publish the appropriate records
> in a name server, then you can successfully deploy an AFS cell and
> Kerberos realm.

The current situation is sort of like using DES encryption for email
privacy.  Before PGP, adoption of "email encryption" was technically
not being held back by the need to maintain N^2 shared secrets:
nothing was stopping you from doing it.  But it was such a nuisance
that nobody wanted to bother unless it was a matter of life-and-death.

The advent of public-key email security resulted in a network effect:
it took very little effort to get access to a very large pool of
people with whom you could communicate securely.  This offset the cost
of having to maintain a ~/.pgp and a lot more people wound up with
access to email encryption.

I guess in this sense I should have said "would immensely accelerate
adoption" rather than "[lack of] is inhibiting adoption".

  - a