[OpenAFS] AES Support ?

John Hascall john@iastate.edu
Thu, 27 Sep 2007 13:17:35 CDT

> > > We aren't going to break existing deployments of AFS.

> >    So all future releases of OpenAFS forever will support rxkad
> >    and K4/DES-based tokens?  And there will be no way for a cell
> >    to turn that off?  Really?

> You have the source. You can always patch it. So that's obviously false.

  Well, that's a tautology isn't it.   You can always say "we aren't going
  to break it, you can always patch it yourself".

> But there's literally no one with AFS deployed now whose clients are ready
> for this transition.

  Today isn't the point.  Presumably, someday people *will* start to
  transition.  And, barring a worldwide flag-day, cells *will* make
  the transition at different times.  Somebody *will* be the first
  one to delete their "afs" principal.

  Previously in this discussion it was said you need to upgrade all
  your servers before you start upgrading your clients.  So if, (on
  that day that some other cell deletes "afs"), you haven't progressed
  far enough in your transition to where you can upgrade your clients,
  it sounds to me like you are in trouble.

  And, you have the ever-increasing weakness of DES keys which I presume
  will be pushing some cells to try to complete the transition as fast as

  This, to me, seems to be the sort of thing people need to be aware of
  for planning purposes.