[OpenAFS] AES Support ?

John Hascall john@iastate.edu
Thu, 27 Sep 2007 14:50:14 CDT


> On Thu, 27 Sep 2007, John Hascall wrote:
> >   So they quickly upgrade their servers, then upgrade their clients
> >   and then think "well we should shut off that unsafe old stuff".
> >
> >   Now lets further suppose that Very Important Professor at ISU
> >   accesses data in Stanford's cell via ACLs.
> >
> >   If ISU hasn't yet completed their server upgraded, then we can't
> >   upgrade clients.  Now ISU VIP can't get at the data at Stanford.

> Why not? You didn't create k5-afs in your cell, so an upgraded client will 
> work as before.

   By "not yet completed" I meant started.  If I'm understanding
   the process as it was outlined many messages ago it was:

       1) create afs-k5 or (or is it k5-afs?) key
       2) upgrade all your servers
       3) upgrade all your clients
       4) remove the old afs key

   If, like us, you have a lot of servers and you upgrade them
   one-by-one by first vos moving all the data to other servers
   until they are empty and then vos moving it back afterwards
   then step 2 can take quite a long time.  And it seems to me
   that if you are in step 2, you can't talk (w/auth) to somebody
   who has finished step 4.

John