[OpenAFS-devel] Re: administratorless Peer to Peer (was RT, Gerrit, Release Management changes)

[Ken Hornstein]

>If alice@school.edu knows bob@commercial.com, and they have lunch and exchange
>business cards, and both of them trust the administrators of school.edu and 
>commercial.com, why in the world do the admins of school.edu and commercial.com
>even have to get involved for Alice and Bob to (securely) share files with
>OpenAFS?

Unfortunately ... that's the whole "trusted third party" part of Kerberos;
that's one of Kerberos's greatest strengths, but also one of it's biggest
weaknesses.  There was a protocol designed to make that easier (PKCROSS),
but it never really got implemented (or even finished).

>We have DNSSEC that can cryptographically authenticate both domains, what 
>needs to happen to have AFS allow adminstoratorless peer-to-peer file sharing?

I think you're over-estimating DNSSEC deployment, but that only solves one
direction (you can verify you're talking to the "correct" domain).  It
doesn't solve the other (harder) direction.

As I see it, the basic problem is that AFS delegated it's authentication
to Kerberos, and Kerberos is designed to solve security at the
enterprise level.  I'm not saying that the isn't a problem that's worth
solving, but I can think of plenty of other problems that are of higher
importance.

--Ken