[OpenAFS] Re: feasibility of moving lightweight-principals issue "upstream" to kerberos

Adam Megacz megacz@cs.berkeley.edu
Sat, 31 Dec 2005 22:04:51 -0800

Russ Allbery <rra@stanford.edu> writes:
>> I mean, you can self-sign a certificate and give a paper copy to
>> somebody at a conference -- all without having to lease a server that's
>> "always-on".

> In that case, the person to whom you're handing the certificate and who is
> verifying that you are who you say you are is the authentication service.

Yes.  One facet of what I'm getting at is that users should be able to
use face-to-face interaction as an authentication mechanism if their
AFS admins wish to allow that in their cell.  Right now there is a
technological barrier to this policy option.

> What it sounds to me like you're saying is that you want to grant access
> to your AFS cell (authorize) people for whom you have no traditional
> authentication provider.

Exactly!  Especially in the case where traditional implies "on-line
available 24x7x365".

> But you're still going to be doing authentication (and therefore
> identity management, since you want your authentication system to
> satisfy certain identity binding requirements which will require at
> least some form of identity management).

I agree.  I think the really tough hurdle I'm trying to get over here
in this thread is if OpenAFS is willing to accept use-cases where the
task above is delegated outside the sphere of the "AFS software suite"
(OpenAFS, Kerberos, and various extensions to Kerberos).

In particular, this use-case works much better if support for it is
ubiquitous ("on by default") in the client (but of course "off by
default" on the servers).  This way users from "integrated" cells can
participate in "non-integrated" cells while still keeping the admins
of their home cell happy.

  - a

PGP/GPG: 5C9F F366 C9CF 2145 E770  B1B8 EFB1 462D A146 C380