[OpenAFS] final prerequesite for world domination

Russ Allbery rra@stanford.edu
Wed, 28 Dec 2005 15:09:02 -0800

Adam Megacz <megacz@cs.berkeley.edu> writes:

> Now all we need is a widely-accepted, widely-adopted way to authenticate
> users who are not in the kerberos database of the local cell, and do so
> without administrator intervention (ie without adding a ridiculous N^2
> cross-realm entries).  Ideally this would also include users who do not
> have a kerberos identity in *any* cell/kdc, anywhere.

How do you do identity management for people who are unknown to everyone
everywhere?  I mean, I can write a trivial little system that does exactly
what you say above.  The technical issues aren't the hard part.  You just
accept any username, create a KDC entry for them, and give them an empty
password.  Tada, authenticated.  You just don't know *who* you've
authenticated, and that's the hard part.  :)

As soon as you have some way of identifying this person and managing
identity for them, the problem reduces to figuring out how to either
create a Kerberos entry for them or trust someone else's existing realm.
Shibboleth is interesting in this regard.

> There are a lot of competing solutions and partial-solutions out there
> (gssklogd, kx509, pkinit), but I think widespread agreement will matter
> most in the end.

I can't speak to gssklogd, but kx509 and pkinit aren't solving this
problem.  Those are ways to authenticate someone *after* you've done the
identity management part and have given them a certificate or signed one.
That's the easy part.  The hard part is the part that has to happen
*before* that.

Now, it may be that the delegation of trust is easier with a
certificate-based authentication system rather than with traditional
Kerberos, so I can understand why people are pursuing allowing
authentication via certificate as part of a long-term solution.  But
you're just exchanging your problems for other problems -- in particular,
the user now has this piece of magic data that they have to keep track of
that your average user doesn't understand and isn't going to have with
them when they use that web kiosk system in the airport.

> There's no reason why AFS can't offer/support a PKI mechanism that is as
> easy to use as the SSH keying mechanism.

It's all just a matter of development time.  :)

But identity management is at least twice as hard as people think it is.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>