[OpenAFS] AES Support ?
John Hascall
john@iastate.edu
Thu, 27 Sep 2007 13:17:35 CDT
> > > We aren't going to break existing deployments of AFS.
> > So all future releases of OpenAFS forever will support rxkad
> > and K4/DES-based tokens? And there will be no way for a cell
> > to turn that off? Really?
> You have the source. You can always patch it. So that's obviously false.
Well, that's a tautology isn't it. You can always say "we aren't going
to break it, you can always patch it yourself".
> But there's literally no one with AFS deployed now whose clients are ready
> for this transition.
Today isn't the point. Presumably, someday people *will* start to
transition. And, barring a worldwide flag-day, cells *will* make
the transition at different times. Somebody *will* be the first
one to delete their "afs" principal.
Previously in this discussion it was said you need to upgrade all
your servers before you start upgrading your clients. So if, (on
that day that some other cell deletes "afs"), you haven't progressed
far enough in your transition to where you can upgrade your clients,
it sounds to me like you are in trouble.
And, you have the ever-increasing weakness of DES keys which I presume
will be pushing some cells to try to complete the transition as fast as
possible.
This, to me, seems to be the sort of thing people need to be aware of
for planning purposes.
John