[OpenAFS-devel] openafs cell and contrib area?
Ted McCabe
ted@MIT.EDU
Fri, 3 Nov 2000 12:58:56 -0500 (EST)
I concur with aeneous@speakeasy.org that the trust needed in the
maintainers of the db servers must be total. I also point out that
while the fileservers need to trust the db servers, the db servers
need not trust the fileservers (currently of course, they do).
Is it enough to change AFS so that the db servers don't need to trust
the fileservers?
No.
For a distributed cell to have integrity of data, the people with
physical access to the fileservers need to be trusted to maintain that
integrity. There is no way to ensure that (extreme case, picture a
fileserver hacked to provide bogus volume data, to only some selected
machines). Unfortunately, the integrity of the data is the primary
purpose of the envisioned distributed openafs/default cell.
So given that you can never know for sure when the trust in a
distributed fileserver is violated, i.e. some trust *has* to be
assumed, two questions come to mind.
How much trust should be assumed?
Can the security model of AFS be modified to accomodate the desired
level of assumed trust *without* breaking the more conventional model
for setting up a cell?
Once there is some concensus about the trust levels assumed, then a
discussion about how to redisign the AFS security model can continue.
--Ted