[OpenAFS-devel] openafs - proposed cache security improvement

[Marcus Watts]

Jeffrey Hutzelman <jhutz@cmu.edu> writes:
> > Incidentally, the particular problem Marcus posits here is one we
> > considered, and for which rxgk has an obvious solution in the form of its
> > combine-tokens operation.  I do not think it would be appropriate at this
> > point in time to attempt to add this functionality to rxkad.
> 
> Oh, BTW, this approach lends itself quite easily to situations in which the 
> individual client hosts do not have keys, by giving the server a public key 
> and authenticating rxgk token establishment with PKU2U instead of GSS-krb5.

Is this
	draft-zhu-pku2u-01.txt ?

If so, besides the obvious problems, this seems to depend on
x509 certificates on both sides.  So far, nobody else here has
sounded at all enthusiastic about x509 certificates for either side.

				-Marcus Watts