[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?

On Aug 30, 2007, at 12:39 AM, u+openafsdev-sr55@chalmers.se wrote:

> Hi,
> I happen to have an opinion,
> based on years with AFS, DCE/DFS and Coda, fwiiw.

Everyone's entitled to an opinion as long as they realize they're  
wrong if they disagree with mine.  ;-)

> On Wed, Aug 29, 2007 at 02:08:48PM -0700, Henry B. Hotz wrote:
>> (Process Authentication Group) problem the same way we solve the
>> secure credential cache problem.  PAGs have better semantics than any
>> extant Kerberos ccache implementation.
> This is a questionable statement.

Of course it is.  It's my opinion.  ;-)

> PAGs are supposed to be handy, but they contradict the basic *nix  
> design,
> which is built around uid as the main credential.
> So they are controversial by nature.

The basic *nix design was oriented toward single multiuser machines.   
The uid is completely useless as a credential for accessing network  
resources.  Perhaps PAGs contradict the design, but that's because  
the design is not applicable.  Obviously that has user-visible  
effects, but I see no issue there except that the user needs to learn  
the difference.  (Or are you proposing that Unix should be updated to  
use a network-verifiable identity in place of the uid?)

> They create lots of confusion, are not as isolating as one might  
> believe
> and eventually reduce security as they are breaking the borders
> of security domains (switching uids while inheriting rights or vice  
> versa).

I agree that the scoping mis-match between uid's and PAGs is a  
security issue.  Likewise the scoping mismatch between PAG's and  
<pick one> Kerberos credential cache's is an issue.  Please propose  
what you think the model should be, but if you say Unix uid's then I  
strenuously disagree.  I happen to think the process inheritance tree  
is a good scope to use, as I described in my post.

How easy/hard that is to break is an implementation issue that I  
would discuss in terms of how well the PAG model was implemented.  As  
others have noted there will always be gaps and holes.  In fact I  
would go one farther and say that Goedel's Theorem absolutely  
guarantees there will be gaps and holes, regardless of what model you  

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu