Re: In-kernel Authentication Tokens (PAGs)

From: Trond Myklebust
Date: Tue Jun 15 2004 - 02:04:32 EST

Next message: Nigel Kukard: "Re: [HANG] SIS900 + P4 Hyperthread"
Previous message: viaemail: "Sua diversão esta de volta em Belo Horizonte..."
In reply to: Blair Strang: "Re: In-kernel Authentication Tokens (PAGs)"
Next in thread: David Howells: "Re: In-kernel Authentication Tokens (PAGs)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

På ty , 15/06/2004 klokka 02:38, skreiv Blair Strang:

> Surely the only logical reason to tag a process with extra security
> information /in the kernel/ is because that information is going to be
> used /by the kernel/. I can't think of a good reason to put a
> generalised keystore in the kernel.

Here are three good reasons.

- You want the key lifetime to be the same as your process lifetime
- You want the key to be readable ONLY by that one process.
- The kernel wants to supports multiple security realms and mechanisms.
Not everybody is happy with just kerberosV credentials, and we already
have beta code for the SPKM mechanism in RPCSEC_GSS.

As for the AFS PAG idea: it's already been shot down. See the
linux-fsdevel thread I referred to earlier.

Cheers,
Trond
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Nigel Kukard: "Re: [HANG] SIS900 + P4 Hyperthread"
Previous message: viaemail: "Sua diversão esta de volta em Belo Horizonte..."
In reply to: Blair Strang: "Re: In-kernel Authentication Tokens (PAGs)"
Next in thread: David Howells: "Re: In-kernel Authentication Tokens (PAGs)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]