[OpenAFS-devel] Re: safe dropboxing in an anonymous world

[Andrew Deason]

On Mon, 07 Feb 2011 17:29:23 -0500
Jeffrey Altman <jaltman@secure-endpoints.com> wrote:

> If the goal is to permit anonymous submission of homework for example,
> this model is simply not safe under any circumstances.  That is why I
> proposed a configuration option to disable the use of 'i'nsert with
> anonymous.  Answering Andrew, Mike Meffie's change (gerrit/217) is
> different.

I haven't seen any explanation as to how. It is a generalized mechanism
for restricting what rights an anonymous client can have. Unless you
mean only affecting anonymous rights in special cases? (like the dropbox
case)

> I do not believe we are at a point where making such a change is
> acceptable.  I think the best we can do in the short term is a
> combination of:
> 
>  * Derrick's proposal (gerrit/3901)
> 
>  * Providing an option to disable 'i'nsert for anonymous client
> 
>  * Improving our documentation to make it clear that system:anyuser "li"
>    and anonymous users are not a secure mix.

And I must reiterate that I think an additional note of the possible
failure scenario is required. Some sites will skip over security
warnings due to the closed nature of the site or for other reasons, but
"cannot/may not work in certain edge cases" will actually register.

-- 
Andrew Deason
adeason@sinenomine.net