[OpenAFS] feasibility of moving lightweight-principals issue "upstream" to kerberos

Adam Megacz megacz@cs.berkeley.edu
Thu, 29 Dec 2005 23:27:57 -0800


Jeffrey Altman <jaltman@secure-endpoints.com> writes:
> Granted these models are currently not distributed such that you could
> download an implementation from MIT or KTH but that is because there
> has not been appropriate demand for such functionality and the current
> Kerberos implementors do not have the resources to develop and test
> functionality that is not of immediate use to current large scale
> users.  However, this functionality is on the drawing board for future
> IETF standardization and implementation provided the necessary resources
> can be acquired to complete the work.

I really think it's more of a political issue than anything else; I
doubt they'd ever accept anything involving public key crypto as an
"official, standard, core" part of Kerberos.  And I can't say I
disagree with them.

I'm willing to contribute substantial developer-hours to realizing the
goal of easy, administrator-intervention-free cross-realm and
non-realm authentication.  And I'm very flexible in terms of taking
direction from people who've been around OpenAFS longer than I have on
how this ought to be achieved.  But if changing the "upstream"
Kerberos just to improve AFS is a prerequesite, I think this might be
a bigger task than I want to take on (or have the motivation to see
through).

  - a