[OpenAFS-devel] administratorless Peer to Peer (was RT, Gerrit, Release Management changes)

Troy Benjegerdes hozer@hozed.org
Sat, 6 Oct 2012 09:24:27 -0500


On Sat, Oct 06, 2012 at 12:02:28AM -0400, Ken Hornstein wrote:
> >> Would it be feasible for us to 'eat our own dogfood', so to speak, and
> >> use SPNEGO and cross-realm Kerberos to log into RT? (If this is already
> >> implemented, and I haven't noticed, then I will volunteer myself to go
> >> document it better)
> >
> >Cross-realm isn't really a workable solution unless you have tight coordination
> >between realms and general agreement about security policies.
> 
> That has NOT been my experience, and we use cross-realm a lot (probably
> more than most sites).  I think there's no reason why we couldn't do
> what Troy is suggesting (other than the kinda pain-in-the-ass part of
> actually setting up cross-realm).

I'd agree with the pain-in-the-ass part of setup. So a really good question
is: Why in the world is this such a PITA to set up cross-realm authentication?

If alice@school.edu knows bob@commercial.com, and they have lunch and exchange
business cards, and both of them trust the administrators of school.edu and 
commercial.com, why in the world do the admins of school.edu and commercial.com
even have to get involved for Alice and Bob to (securely) share files with
OpenAFS?

We have DNSSEC that can cryptographically authenticate both domains, what 
needs to happen to have AFS allow adminstoratorless peer-to-peer file sharing?