[OpenAFS-devel] RT, Gerrit, Release Management changes

[Ken Hornstein]

>Depending on people who insist on rolling all keys every 6 months *and*
>continue to ignore DES-key brute force potential to continue to give you 
>money is not a position I would want to be in. 

EXCEPT for cross-realm keys, it's easily automatable, and quite honestly
it's not something I even disagree with.  And you would be incorrect that
the DES key brute force issue is ignored; our AFS service key is the only
DES key in our KDC, and we have to provide a justification for it every
time we get audited.

>My take on the political layer obstacles to cross-realm is to figure out
>a way to leverage DNSSEC in some way to facilitate no-administrator
>intervention cross realm key exchange.

Sigh.  I understand the temptation to solve political layer problems with
technology, but I think you're missing the bigger issue.  I don't even
think I could explain it until you've been sitting across the table with
the administrators of another organization.  My advice?  Go ahead, give
it a try; let us know what you come up with.

But getting back to the ORIGINAL point ... there's no reason we can't use
cross-realm for us, today.  In fact, we should.  So why don't we?

--Ken