[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OpenAFS-devel] Re: MEMORY credential cache interop between Heimdal and MIT?
On Aug 30, 2007, at 12:39 AM, firstname.lastname@example.org wrote:
> I happen to have an opinion,
> based on years with AFS, DCE/DFS and Coda, fwiiw.
Everyone's entitled to an opinion as long as they realize they're
wrong if they disagree with mine. ;-)
> On Wed, Aug 29, 2007 at 02:08:48PM -0700, Henry B. Hotz wrote:
>> (Process Authentication Group) problem the same way we solve the
>> secure credential cache problem. PAGs have better semantics than any
>> extant Kerberos ccache implementation.
> This is a questionable statement.
Of course it is. It's my opinion. ;-)
> PAGs are supposed to be handy, but they contradict the basic *nix
> which is built around uid as the main credential.
> So they are controversial by nature.
The basic *nix design was oriented toward single multiuser machines.
The uid is completely useless as a credential for accessing network
resources. Perhaps PAGs contradict the design, but that's because
the design is not applicable. Obviously that has user-visible
effects, but I see no issue there except that the user needs to learn
the difference. (Or are you proposing that Unix should be updated to
use a network-verifiable identity in place of the uid?)
> They create lots of confusion, are not as isolating as one might
> and eventually reduce security as they are breaking the borders
> of security domains (switching uids while inheriting rights or vice
I agree that the scoping mis-match between uid's and PAGs is a
security issue. Likewise the scoping mismatch between PAG's and
<pick one> Kerberos credential cache's is an issue. Please propose
what you think the model should be, but if you say Unix uid's then I
strenuously disagree. I happen to think the process inheritance tree
is a good scope to use, as I described in my post.
How easy/hard that is to break is an implementation issue that I
would discuss in terms of how well the PAG model was implemented. As
others have noted there will always be gaps and holes. In fact I
would go one farther and say that Goedel's Theorem absolutely
guarantees there will be gaps and holes, regardless of what model you
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or email@example.com