[OpenAFS] Some questions about the future of OpenAFS

[Derrick J Brashear]

If I'm wrong on any of this, speak up. I certainly wouldn't mind at all
being wrong.

On Tue, 30 Apr 2002, Douglas E. Engert wrote:

> I like Kerberos, V5 not V4. We have used DCE security servers as KDCs in the 
> past as well as W2K domain controllers. Both of which supported only V5. We 
> are running the krb524 just for AFS. We would like to get rid of it. The 
> gssklog with a Kerberos V5 GSSAPI can do that too. 

If you set up krb524d with just the service key (for AFS, which is what
you'd want anyhow) then you buy the ability to use non-DES keytypes for
things that authenticate to your service as compared to krb524d. Ok. But
then what you're saying is this service can be set up in 2
wire-incompatible ways (GSI and krb5 GSS)?

> So look at the separation of the authentication from the token generation as a
> way to give you, the OpenAFS developer, more flexibility in designing the next 
> generation of the AFS token. Tokens don't have to continue to be Kerberos tickets, 
> as they are used internally only by AFS.

Sort of. You're offering this as a way to take "any piece of
authentication data" and translate it now to "a DES key", and I assume in
the future "whatever a token becomes". But given the cache manager
portion of the work (which effectively is involved in "whatever a token
becomes") is probably more difficult than the rest, and that progress is
already being made on the rest, this still doesn't look like a big win in
the future, especially if it means yet another external dependancy over
what would already have been needed gets pulled in... and especially if
that dependancy is OpenSSL.