[OpenAFS-devel] openafs - proposed cache security improvement

Thu, 29 Mar 2007 08:05:58 -0400

This is a cryptographically signed message in MIME format.

--------------ms090203070203040701000405
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Marcus Watts wrote:
> Jeffrey Hutzelman <jhutz@cmu.edu> writes:
>>> Incidentally, the particular problem Marcus posits here is one we
>>> considered, and for which rxgk has an obvious solution in the form of its
>>> combine-tokens operation.  I do not think it would be appropriate at this
>>> point in time to attempt to add this functionality to rxkad.
>> Oh, BTW, this approach lends itself quite easily to situations in which the 
>> individual client hosts do not have keys, by giving the server a public key 
>> and authenticating rxgk token establishment with PKU2U instead of GSS-krb5.
> 
> Is this
> 	draft-zhu-pku2u-01.txt ?
> 
> If so, besides the obvious problems, this seems to depend on
> x509 certificates on both sides.  So far, nobody else here has
> sounded at all enthusiastic about x509 certificates for either side.
> 
> 				-Marcus Watts

PKU2U uses Krb5 PK-INIT and PK-INIT does not require the use of X.509
certificates; it can also support raw public/private key pairs.

Jeffrey Altman

--------------ms090203070203040701000405
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJWTCC
AwcwggJwoAMCAQICEDgwMdSemBfcGd6HY5Q4qrwwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDUyNzIyMDMzMloX
DTA3MDUyNzIyMDMzMlowazEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVy
aWMxHDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xIzAhBgkqhkiG9w0BCQEWFGphbHRt
YW5AY29sdW1iaWEuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmFluisw/
NLjjXSHm0kgAgAMBknaWpJyDQlTpyzSswiSaDWINyEUzM/teBosk003zfyQdPONkWzclBRZ+
oGsYsAgxmyRe9tAJD7Jo6xp/6kCuF5nnaIyz91gWyuYZEeqQrfyFnWIfQu3fuoSeEIMLc9ac
L9qhqnaTwCufH4v56CMftv6KFdf/k1CoLu/DL0ps5UOVwui+8iSWn3Qt6QfefDp9vbtBFPTV
nZ7wGeewUJrO1LEC+x3gAOW+KxUcZMBax7tVygT5hDaQXm5lxUrlMQ/hLeWpv7LkVPD/ytoJ
NCNzSnycrK4juG1CI12m5K1TNHZJ1uYjb7DUvMwOl6kQiQIDAQABozEwLzAfBgNVHREEGDAW
gRRqYWx0bWFuQGNvbHVtYmlhLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GB
ACNK1Xef6H2YL02xqVthcdQgFuF0bENE1u7gX/hegF1awGERhaIJmKGWau4OiAeHnlFqWysP
EFzVrSb6L+TF9YHd/bP8WtxccOFnZ1L6oe7KOiyNfXGPZKj/i7Gti+MF4RM1ReZncTC1zMmZ
DbFkVhL92vSgDGl4+6IwzjmQVK3sMIIDBzCCAnCgAwIBAgIQODAx1J6YF9wZ3odjlDiqvDAN
BgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp
bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp
bmcgQ0EwHhcNMDYwNTI3MjIwMzMyWhcNMDcwNTI3MjIwMzMyWjBrMQ8wDQYDVQQEEwZBbHRt
YW4xFTATBgNVBCoTDEplZmZyZXkgRXJpYzEcMBoGA1UEAxMTSmVmZnJleSBFcmljIEFsdG1h
bjEjMCEGCSqGSIb3DQEJARYUamFsdG1hbkBjb2x1bWJpYS5lZHUwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCYWW6KzD80uONdIebSSACAAwGSdpaknINCVOnLNKzCJJoNYg3I
RTMz+14GiyTTTfN/JB0842RbNyUFFn6gaxiwCDGbJF720AkPsmjrGn/qQK4XmedojLP3WBbK
5hkR6pCt/IWdYh9C7d+6hJ4Qgwtz1pwv2qGqdpPAK58fi/noIx+2/ooV1/+TUKgu78MvSmzl
Q5XC6L7yJJafdC3pB958On29u0EU9NWdnvAZ57BQms7UsQL7HeAA5b4rFRxkwFrHu1XKBPmE
NpBebmXFSuUxD+Et5am/suRU8P/K2gk0I3NKfJysriO4bUIjXabkrVM0dknW5iNvsNS8zA6X
qRCJAgMBAAGjMTAvMB8GA1UdEQQYMBaBFGphbHRtYW5AY29sdW1iaWEuZWR1MAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAI0rVd5/ofZgvTbGpW2Fx1CAW4XRsQ0TW7uBf+F6A
XVrAYRGFogmYoZZq7g6IB4eeUWpbKw8QXNWtJvov5MX1gd39s/xa3Fxw4WdnUvqh7so6LI19
cY9kqP+Lsa2L4wXhEzVF5mdxMLXMyZkNsWRWEv3a9KAMaXj7ojDOOZBUrewwggM/MIICqKAD
AgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy
biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5n
MSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZy
ZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQsw
CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG
A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHy
v1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsY
Pge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0T
AQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20v
VGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQe
MBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD
6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZ
GwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC
3CEZNd4ksdMdRv9dX2VPMYIDZDCCA2ACAQEwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMc
VGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFs
IEZyZWVtYWlsIElzc3VpbmcgQ0ECEDgwMdSemBfcGd6HY5Q4qrwwCQYFKw4DAhoFAKCCAcMw
GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDcwMzI5MTIwNTU4
WjAjBgkqhkiG9w0BCQQxFgQU/oXYXHMIzXvtwFyxJEI+YimjLTIwUgYJKoZIhvcNAQkPMUUw
QzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcw
DQYIKoZIhvcNAwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAjBgNV
BAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJz
b25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhA4MDHUnpgX3Bneh2OUOKq8MIGHBgsqhkiG9w0B
CRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQ
dHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENB
AhA4MDHUnpgX3Bneh2OUOKq8MA0GCSqGSIb3DQEBAQUABIIBAEL+AJTOC9meiog826erV6Yv
jCKhOnYJzrYyOXU4righNA2SVrj1bFs4+GCQvGkBNCmNMsFNG7T3OXZX+VPQ16glB8UbBJj0
PSLqkoBmbRQbrbbcmPZJ+FDx81oH96KVvphxk5Dq8Ui/Bd0UoKde65hUi9tkzdv42z+3HUip
iFYJK6J/IYUTOgfrV+yW3acfeZiQBu0jWBzo9nQePEp+kIf67O9pYmfeKp6iorvlnyAheK9M
1uKOy3/mpf2gBl0xBLjOkISZPe+V608nMUT1qTv6a4o6X3CvtbZDLZEY9shJCwWVZst6HTw/
4f1rT3ms+xSfs148pXooTRb09456TTAAAAAAAAA=
--------------ms090203070203040701000405--