[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MEMORY credential cache interop between Heimdal and MIT?

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: MEMORY credential cache interop between Heimdal and MIT?
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Wed, 29 Aug 2007 18:36:49 -0700
Cc: Heimdal discuss <heimdal-discuss@sics.se>, OpenAFS Devel <openafs-devel@openafs.org>
In-Reply-To: <46D5E877.2030508@highlandsun.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <Pine.LNX.4.64.0708151117370.17167@iris02.slac.stanford.edu> <20070815161906.8fcc2ddf.miallen@ioplex.com> <46C36271.7050402@secure-endpoints.com> <20070815183305.2580e548.miallen@ioplex.com> <79896EE9-9AE9-41C5-8F66-B144D0E0B1F8@mit.edu> <20070815233444.a1d54835.miallen@ioplex.com> <E969A5EB-4AC3-471F-AE36-B3645A1349C3@kth.se> <20070816145410.3299c310.miallen@ioplex.com> <46C49F7C.6050101@secure-endpoints.com> <20070816165138.2e42c6f2.miallen@ioplex.com> <1B0367BD-BB1D-46F5-A684-346A93B8954E@MIT.EDU> <20070822132121.5270f764.miallen@ioplex.com> <A44562DD-4EE8-48E1-B562-BA4D0F74B7D5@jpl.nasa.gov> <46D4D0CD.3050003@highlandsun.com> <20070828223248.a5e62570.miallen@ioplex.com> <46D4DEAA.1030407@highlandsun.com> <20070828231655.f17fa922.miallen@ioplex.com> <46D4EE4C.8070405@highlandsun.com> <46D4F025.50600@highlandsun.com> <20070829120921.f8fe84e1.miallen@ioplex.com> <46D5A2F3.3010603@highlandsun.com> <F422B16A-AFED-4DC2-AEEA-2D2F08A8895B@jpl.nasa.gov> <46D5E877.2030!508@highlandsun.com>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

On Aug 29, 2007, at 2:43 PM, Howard Chu wrote:

> It sounds like you're happy with the inheritance model and don't  
> need anything else. But again, your assertion that strict  
> inheritance in the implementation guarantees secure usage is false.

"I'm happy with the inheritance model and don't need anything  
else."  ;-)  I could be convinced it's not good enough, but I'd need  
a good use case.

Don't confuse my assertion of what the properties *should* be with an  
assertion that it's what they really are for a real implementation.   
Likewise w.r.t. whether the intended properties are really sufficient  
for security in any specific real environment.

My point was that the PAG model is superior to Kerberos's FILE:  
ccache model.  Also while setgroups() may not be sufficiently  
protected to really satisfy the model, it's at least harder than setenv.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- MEMORY credential cache interop between Heimdal and MIT?
  - From: Alf Wachsmann <alfw@slac.stanford.edu>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Ken Raeburn <raeburn@MIT.EDU>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Howard Chu <hyc@highlandsun.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Howard Chu <hyc@highlandsun.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Howard Chu <hyc@highlandsun.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Howard Chu <hyc@highlandsun.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Michael B Allen <miallen@ioplex.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Howard Chu <hyc@highlandsun.com>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: MEMORY credential cache interop between Heimdal and MIT?
  - From: Howard Chu <hyc@highlandsun.com>

Prev by Date: Cool, Thanks!
Next by Date: Re: [OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?
Prev by thread: Re: MEMORY credential cache interop between Heimdal and MIT?
Next by thread: Re: [OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?
Index(es):
- Date
- Thread