[OpenAFS] final prerequesite for world domination [was: what is aklog's algorithm...]

Adam Megacz megacz@cs.berkeley.edu
Wed, 28 Dec 2005 13:23:07 -0800

Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
> --Ken (who wrote the initial support for RFC 2052 for MIT Kerberos).

Thank you, Ken.  You, the person who came up with AFSDB, and the
person who implemented dynroot are my heroes.  You've made a lot of
things possible for a lot of people.

Now all we need is a widely-accepted, widely-adopted way to
authenticate users who are not in the kerberos database of the local
cell, and do so without administrator intervention (ie without adding
a ridiculous N^2 cross-realm entries).  Ideally this would also include
users who do not have a kerberos identity in *any* cell/kdc, anywhere.

There are a lot of competing solutions and partial-solutions out there
(gssklogd, kx509, pkinit), but I think widespread agreement will
matter most in the end.  Whatever solution manages to prove itself
worthy enough to the gatekeepers to get included in the "stock"
OpenAFS will end up becoming the de-facto standard that everyone uses.

There's no reason why AFS can't offer/support a PKI mechanism that is
as easy to use as the SSH keying mechanism.  When I can do "fs sa file
joe.key write" [*] and joe doesn't have to put much effort into
configuring his client to use his key, then I think the stage will
finally be set for a single world filesystem.

Bring it on.

  - a

[*] Where "joe.key" is a *file* containing some cryptographic public
    key for some person joe who is not [yet] in the pts database.
    The mechanics of how this actually would work is a good topic for

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380