[OpenAFS] Delivering confidential information in AFS via Apache

Charles Karney ckarney@sarnoff.com
Fri, 3 Aug 2001 16:50:53 -0400 (EDT)


 > From: Jim Rees <rees@umich.edu>
 > Date: Fri, 03 Aug 2001 16:32:35 -0400
 > 
 >   My ulterior motive is to see the AFSWEB component of OpenAFS promoted to
 >   first-class status in the OpenAFS world.  Currently it's an orphan,
 >   following IBM's termination of support of it.
 > 
 > I don't like afsweb.  I don't want my password leaving my workstation.  How
 > many users actually check their browser certs to make sure they are giving
 > their password to the proper authority?

Probably < 1%.  So along with the use of afsweb, should go

    Intranet only (policed by a firewall);
    SSL certificate signed by the authorities recognised by IE and Netscape
        (we don't have this and we should get it);
    A lot of user training (we try).

 > We have been working on some alternatives, described here:
 > 
 > http://www.citi.umich.edu/projects/kerb_pki/index.html

Great.  I have absolutely no axe to grind with afsweb.  Back in May 2000, I
needed a way to provide secure access to the web and afsweb/websecure
offered a reasonably flexible and robust solution.

If a better solution comes along, and it's easy to deploy, I'll use it.  At
present I'm waiting for the grand transition of AFS to Kerberos 5.  So
we're still using the AFS kaserver and this may cause compatibility
problems with solutions originating out of the Kerberos world.

-- 
Charles Karney			Email:	ckarney@sarnoff.com
Sarnoff Corporation		Phone:	+1 609 734 2312
Princeton, NJ 08543-5300	Fax:	+1 609 734 2586