Re: [nfsv4] [FedFS] Meeting Minutes, 12/10/2009
Nicolas Williams <Nicolas.Williams@sun.com> Mon, 14 December 2009 23:42 UTC
Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: nfsv4@core3.amsl.com
Delivered-To: nfsv4@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CB8173A6849 for <nfsv4@core3.amsl.com>; Mon, 14 Dec 2009 15:42:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.62
X-Spam-Level:
X-Spam-Status: No, score=-5.62 tagged_above=-999 required=5 tests=[AWL=-0.174, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_48=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qRqcGQ0jUcho for <nfsv4@core3.amsl.com>; Mon, 14 Dec 2009 15:42:41 -0800 (PST)
Received: from sca-ea-mail-3.sun.com (sca-ea-mail-3.Sun.COM [192.18.43.21]) by core3.amsl.com (Postfix) with ESMTP id 921FB3A6853 for <nfsv4@ietf.org>; Mon, 14 Dec 2009 15:42:37 -0800 (PST)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-3.sun.com (8.13.6+Sun/8.12.9) with ESMTP id nBENgOgp019981 for <nfsv4@ietf.org>; Mon, 14 Dec 2009 23:42:24 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id nBENgNfL053200 for <nfsv4@ietf.org>; Mon, 14 Dec 2009 16:42:23 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nBENYsL4004518; Mon, 14 Dec 2009 17:34:54 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nBENYpi1004517; Mon, 14 Dec 2009 17:34:51 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Mon, 14 Dec 2009 17:34:51 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: James Lentini <jlentini@netapp.com>
Message-ID: <20091214233450.GR1516@Sun.COM>
References: <alpine.LFD.2.00.0912101628360.18058@jlentini-linux.nane.netapp.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.00.0912101628360.18058@jlentini-linux.nane.netapp.com>
User-Agent: Mutt/1.5.7i
Cc: nfsv4@ietf.org
Subject: Re: [nfsv4] [FedFS] Meeting Minutes, 12/10/2009
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nfsv4>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2009 23:42:42 -0000
On Thu, Dec 10, 2009 at 04:29:34PM -0500, James Lentini wrote:
> + Admin NSDB Trust Anchor Management
>
> We reviewed our discussion from last week and the following
> mailing list discussion.
>
> Trond noted that we need more detail on the proposals.
>
> James agreed. We discussed several potential security
> options. It seems like there are three options emerging:
> NULL, TLS, and SASL+Kerberos 5. It is unclear how useful
> SASL+Kerberos 5 would be.
Kerberos will be helpful for federations where admins are willing to
have cross-realm trusts. That will likely be only subsets of
federations, not whole ones.
TLS (LDAPS) / StartTLS seems like the way to go. That means PKI for
server certs will be the most common way to authenticate servers. For
client authentication we can have TLS client certs, or a per-{client,
NSDB} password if need be and use SASL/DIGEST-MD5 or TLS w/ PSK.
> Trond asked if we could define a set of security options
> and allow for future extensions. He suggested that a
> possibility would be to include an opaque field with a format
> determined by the security parameter, similar to RPC.
Extensibility should be required, and can be arranged, yes.
> Trond suggested that, if the ADs were comfortable with this
> approach, it would be reasonable to define one or two
> security mechanisms now and defer the defining other options
> until there was a need.
Sounds like you guys want to avoid the subject of TA mgmt. I think the
simplest thing to do is to pass the cert of one NSDB server to the
fileserver, and publish the certs of all replicas of that NSDB server in
the NSDB itself (the fileserver can then treat all NSDB servers as
having pre-shared certs and to hell with TA mgmt).
Nico
--
- [nfsv4] [FedFS] Meeting Minutes, 12/10/2009 James Lentini
- Re: [nfsv4] [FedFS] Meeting Minutes, 12/10/2009 James Lentini
- Re: [nfsv4] [FedFS] Meeting Minutes, 12/10/2009 stacey_chris
- Re: [nfsv4] [FedFS] Meeting Minutes, 12/10/2009 James Lentini
- Re: [nfsv4] [FedFS] Meeting Minutes, 12/10/2009 Nicolas Williams
- Re: [nfsv4] [FedFS] Meeting Minutes, 12/10/2009 Nicolas Williams