[security-discuss] Re: [OpenAFS] Hardware Grants from Sun
Mon, 26 Feb 2007 14:33:06 -0500
On Sunday, February 25, 2007 04:21:45 PM -0600 Nicolas Williams
> A while back I designed such an API, which I called the generic
> credential store API (GCS-API) that provides a way to get a handle to
> the current credential store for a given thread, process, session or
> user, a way to associate a credential store handle with a thread,
> process, session or user, a way to list the credentials references in a
> store, and so on.
Note that while you can do that, it doesn't actually answer AFS's need,
which goes beyond merely storing credentials. We also have to be able to
associate a PAG(*) with cached connection state and access control data,
which is threaded through other data structures in a way we can't easily
change for each platform. That means it's necessary for each PAG to
actually have a unique, long-lived, unforgeable identifier.
(*) "PAG" is short for "Process Authentication Group". Some people are
apparently confused about what this means, so I thought I'd try to clarify
up front -- a PAG is a set of processes, not a place to store credentials.
AFS does track credentials on a per-PAG basis, but the essential thing we
need from an OS is not a credential store; it's a way to obtain the
identifier for the PAG to which a given process belongs.