Re: [OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?

[Ken Hornstein <kenh@cmf.nrl.navy.mil>]

>I advocate being reasonable. If you (just as a hypothetical example)
>prefer PAG to clean design - fine, but then do not call the resulting system
>secure, as you broke the assumptions on which the semantics
>of the system call set was designed (and still relies on).

The problem I see is that there are a lot of fuzzy terms being bandied
around that are subjective.  E.g, "clean", "secure", and "reasonable".

Is my shared descriptor credential cache "clean"?  Well, probably not ...
most people would probably agree on that.  Never said it was.

Is it "secure"?  Hmmm.  Well, I'm not sure I know what "secure" means
in this context.  I would say it is MORE secure than a file credential
cache.  I have data that agrees with me on that assertion.  But that's
a slippery term ... I don't really know how more secure it is, and I know
of no way to describe that in quantitative terms.

Regarding the semantics of the system call set ... well, I don't see how
what I've done changes those semantics one bit.

>> might point out that the design hasn't evolved yet; that would be fair,
>> but if we don't try stuff now we won't find what works and what doesn't.
>
>So I am helping the evolution by pointing out which things don't :)
>
>Many people seem to believe that PAGs are "right" and that all we need
>is a suitable implementation which will make it work.
>My point is that this is not exactly the case and that there are other,
>more general hinders as well.

It depends on what we're talking about when we say "PAGs".

If we're talking about the magic groups hack that AFS uses ... well, I
think no one is in love with that particular implementation.  But it's
worked surprisingly well over the years (except where OS developers
actively work against the idea).  And it has shown that the _concept_
of session-based credentials works reasonably well ... not only does it
increase security, but it tends to make AFS behave in a more natural
way from the user's perspective.

If we're talking about credentials associated with a login session,
then I think most of the people who have used something like them find
that the semantics work well, are easy to use, and increase security.
How much they increase security is a debatable point, but again that
gets into the slippery nature of the word "security".  You may point
out that there are X ways to get around session-based credentials; I
will not disagree with that statement, but I don't see how that
invalidates the concept.  You can continually argue that <X> has a
security flaw until you come up with the conclusion that nothing is
secure and you might as well just post your passwords on a web page
somewhere.  I don't think many of us here would argue that far, but you
have to draw the line _somewhere_.