[OpenAFS] fs setcrypt and transarc

Ted Anderson TedAnderson@mindspring.com
Thu, 10 Apr 2003 13:32:26 -0400


On 4/10/2003 12:15, Chaskiel M Grundman wrote:
> Even eliminating that requirement doesn't simplify things all that much,
> for  several reasons:
...
> 2) The way RX is written, it needs to know the session key that will be
> used for a connection _before_ that connection's authentication exchange is
> performed (because the first packet must be signed/encrypted with that
> key). The current conventional wisdom is that using the session key
> embedded in the kerberos ticket for session encryption is a bad thing. As a
> result, some key derivation/generation mechanism must be used. These 2
> concepts don't fit together very well.

Originally, the purpose of the ticket's session key was to encrypt the 
session.  Can you elaborate on this "current conventional wisdom" or 
provide a pointer?

Ted Anderson