[OpenAFS] Encryption of traffic

Russ Allbery rra@stanford.edu
Tue, 26 Jun 2007 16:00:31 -0700


Jason Edgecombe <jason@rampaginggeek.com> writes:

> ok, dumb question time.

> Would using ASN.1 be more of a pain than helpful? I only say this
> because I read in the O'Reilly kerberos book that Krb5 uses ASN.1 to
> "future-proof" the encryption stuff and the protocol in general. I know
> nothing about ASN.1 besides that it's use by Kerb5, SNMP, and a few
> others.

ASN.1 is an encoding mechanism for putting arbitrary data on the network
and decoding it at the remote system.  It's complex and hairy in places
and is one of the more complicated parts of the protocols that use it.
The difficulties with changing the AFS protocol aren't really related to
AFS's data encoding format, but are more fundamentally because AFS's
original design didn't anticipate the need for pluggable authentication
and encryption methods and didn't include support for modern security
technology (like GSSAPI) that didn't exist when the AFS protocol was
designed.

Marcus can comment on how ASN.1 plugs in to the rxk5 world.  rxgk, as I
understand it, uses GSSAPI, and therefore will be able to support any
GSSAPI mechanism going forward (including non-Kerberos ones) as well as
support any Kerberos enctype that is standardized for use with GSSAPI.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>