Re: [nfsv4] AUTH_GSS for Callbacks

Nicolas Williams <Nicolas.Williams@sun.com> Thu, 30 October 2003 23:15 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA19731 for <nfsv4-archive@odin.ietf.org>; Thu, 30 Oct 2003 18:15:25 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AFM0R-0007zE-AP for nfsv4-archive@odin.ietf.org; Thu, 30 Oct 2003 18:15:07 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h9UNF7MT030694 for nfsv4-archive@odin.ietf.org; Thu, 30 Oct 2003 18:15:07 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AFM0P-0007yw-MK for nfsv4-web-archive@optimus.ietf.org; Thu, 30 Oct 2003 18:15:07 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA19684 for <nfsv4-web-archive@ietf.org>; Thu, 30 Oct 2003 18:14:53 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AFM0M-0004UB-00 for nfsv4-web-archive@ietf.org; Thu, 30 Oct 2003 18:15:02 -0500
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1AFM0M-0004U8-00 for nfsv4-web-archive@ietf.org; Thu, 30 Oct 2003 18:15:02 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AFM0M-0007xl-TI; Thu, 30 Oct 2003 18:15:02 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AFLzb-0007vK-TP for nfsv4@optimus.ietf.org; Thu, 30 Oct 2003 18:14:16 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA19599 for <nfsv4@ietf.org>; Thu, 30 Oct 2003 18:14:03 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AFLzY-0004SG-00 for nfsv4@ietf.org; Thu, 30 Oct 2003 18:14:12 -0500
Received: from brmea-mail-2.sun.com ([192.18.98.43]) by ietf-mx with esmtp (Exim 4.12) id 1AFLzY-0004SD-00 for nfsv4@ietf.org; Thu, 30 Oct 2003 18:14:12 -0500
Received: from centralmail2brm.Central.Sun.COM ([129.147.62.14]) by brmea-mail-2.sun.com (8.12.10/8.12.9) with ESMTP id h9UNE3Ph007595; Thu, 30 Oct 2003 16:14:03 -0700 (MST)
Received: from binky.central.sun.com (binky.Central.Sun.COM [129.153.128.104]) by centralmail2brm.Central.Sun.COM (8.12.10+Sun/8.12.10/ENSMAIL,v2.2) with ESMTP id h9UNE258024588; Thu, 30 Oct 2003 16:14:03 -0700 (MST)
Received: from binky.central.sun.com (localhost [127.0.0.1]) by binky.central.sun.com (8.12.5+Sun/8.12.3) with ESMTP id h9UN9uQx026925; Thu, 30 Oct 2003 15:09:56 -0800 (PST)
Received: (from nw141292@localhost) by binky.central.sun.com (8.12.5+Sun/8.12.3/Submit) id h9UN9tSH026924; Thu, 30 Oct 2003 15:09:55 -0800 (PST)
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: "wurzl, mario" <wurzl_mario@emc.com>
Cc: 'Kevin Coffman' <kwc@citi.umich.edu>, Mike Eisler <mike@eisler.com>, nfsv4@ietf.org
Subject: Re: [nfsv4] AUTH_GSS for Callbacks
Message-ID: <20031030230955.GC26891@binky.central.sun.com>
Mail-Followup-To: "wurzl, mario" <wurzl_mario@emc.com>, 'Kevin Coffman' <kwc@citi.umich.edu>, Mike Eisler <mike@eisler.com>, nfsv4@ietf.org
References: <FA2F59D0E55B4B4892EA076FF8704F55055449CD@srgraham.eng.emc.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <FA2F59D0E55B4B4892EA076FF8704F55055449CD@srgraham.eng.emc.com>
User-Agent: Mutt/1.4i
Sender: nfsv4-admin@ietf.org
Errors-To: nfsv4-admin@ietf.org
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/mail-archive/working-groups/nfsv4/>
X-Original-Date: Thu, 30 Oct 2003 15:09:55 -0800
Date: Thu, 30 Oct 2003 15:09:55 -0800

On Thu, Oct 30, 2003 at 05:41:37PM -0500, wurzl, mario wrote:
> As protocol designers and implementers it is our duty to make a product to
> easy to use as possible.
> IT managers and administrators already complain about the complexities in
> deploying and managing information systems, and the tendency is "again"
> towards thin clients, but this time not because of the cost of the clients
> as it has been in the past, but because of the cost in setting up and
> managing these clients.
> Introducing a new protocol that increases client administration costs, is
> probably the most effective way to discourage deployment, and send the
> protocol to the same basket with other great but unmanageable ideas, like
> OSI.

Single-user clients should not require acceptor credentials, but it does
help if they have acceptor credentials (i.e., it will be more convenient
to the user in general).

Multi-user clients need acceptor credentials to really be secure.

All that said, single-user clients using LIPKEY will not be able to use
secure callback channels without SPKM-3 initiator and acceptor creds.
This is a flaw in the spec that I think we can fix (repeat after me:
CCM-MIC, CCM-MIC, CCM-MIC).

Cheers,

Nico
-- 

_______________________________________________
nfsv4 mailing list
nfsv4@ietf.org
https://www1.ietf.org/mailman/listinfo/nfsv4