[OpenAFS-devel] administratorless Peer to Peer (was RT, Gerrit, Release Management changes)

Jeffrey Altman jaltman@your-file-system.com
Mon, 08 Oct 2012 01:40:48 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig4FECCDEE6BC8E4E70C7F31EC
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 10/6/2012 10:24 AM, Troy Benjegerdes wrote:
> If alice@school.edu knows bob@commercial.com, and they have lunch and e=
xchange
> business cards, and both of them trust the administrators of school.edu=
 and=20
> commercial.com, why in the world do the admins of school.edu and commer=
cial.com
> even have to get involved for Alice and Bob to (securely) share files w=
ith
> OpenAFS?

The reason that the admins of school.edu and commercial.edu need to be
involved is that the cells are the property of school.edu and
commercial.edu and each organization has its own terms of service and
security policies.   Adding entries to the Protection Database is
something that must be authorized by the administrator.

It has nothing to do with cross-realm Kerberos.  In fact, the reason
that rxgk is based on GSS-API is to permit non-Kerberos solutions to the
authentication problem to be deployed.

The difficulty of automating the establishment of Kerberos realm key
exchange is really besides the point.   Once anonymous PKINIT is
implemented in the KDCs, establishing a protocol to perform one-way
automated key exchange between realms is really quite trivial.

Jeffrey Altman



--------------enig4FECCDEE6BC8E4E70C7F31EC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJQcmdiAAoJENxm1CNJffh4kqMH/1ZD+6H8oGu0iwXtpRhjZCNn
X121OEobHbJ/ORQ2rRGoi66oVvVYkWKXx/0VCOdaru3sIg6DHhdzCxmSbywz8FZq
3fqkcTuqI2vEhOt5oZaQYsg3lqgruw4xU0Bos1yUvLkyIbShZgqhGxHB6Gbnwt2X
9vHClFcvaiAyCU893kjSzBpjoEAmTv4m7VXYG0Inp8EK/dkm2RFKJhWx2gh8LzG3
S8Kv+G9f/b/1Lvu/KBtkSgvWBQK9GHCFw7M+mS3Av2iOCfRGJn7XFZIv9Jbsx2n2
Vy3dzGvL8zahafAOuxroXYYY/T1jOYBjt1Cn5SBswdlWsy6sMDp0h5DGiBz9ALs=
=FIKW
-----END PGP SIGNATURE-----

--------------enig4FECCDEE6BC8E4E70C7F31EC--