[OpenAFS-devel] RT, Gerrit, Release Management changes

Ken Hornstein kenh@cmf.nrl.navy.mil
Sun, 07 Oct 2012 22:09:33 -0400


>If for instance, the people that give you money want to implement a
>policy in which all keys
>in the KDC are updated every six months, then you have to do the PITA
>part with all
>the other realms every six months.

Yeah, believe me, I know what you mean there (for us, it's quarterly).
Although it occurs to me if you extract the cross-realm key from your KDC
you COULD just rekey the key in the other realm; problem solved! :-)

>And how do you justify to auditors
>that the people you're
>letting in from the remote realm follow your policies for account verification?

Well, that depends what ACLs you're putting those foreign realm users on.
We control precisely what principals are allowed to login to each account,
and in THOSE cases we have a much closer relationship with that realm.
For the "other" realms we generally only care about a few users, and we
generally only put them on a few AFS ACLs.

--Ken