[nfsv4] Re: Feedback on user ID for any bis work

Chuck Lever III <chuck.lever@oracle.com> Fri, 16 August 2024 20:42 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E35D8C1654F2 for <nfsv4@ietfa.amsl.com>; Fri, 16 Aug 2024 13:42:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com header.b="eZMMV1xa"; dkim=pass (1024-bit key) header.d=oracle.onmicrosoft.com header.b="gnM5UYsY"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UaefLdIlyuyc for <nfsv4@ietfa.amsl.com>; Fri, 16 Aug 2024 13:42:51 -0700 (PDT)
Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by ietfa.amsl.com (Postfix) with ESMTP id 58A1BC165518 for <nfsv4@ietf.org>; Fri, 16 Aug 2024 13:42:51 -0700 (PDT)
Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 47GJXsNA019551; Fri, 16 Aug 2024 20:42:47 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:content-id:content-transfer-encoding:mime-version; s=corp-2023-11-20; bh=gIJAzsoUtCW9Evm1C67lMYHMADCI5jdlaRHHLAbz6 Rs=; b=eZMMV1xaIYQLM+1slDpBKS2bzqKpY9omjvLTAXoYqhT/7Awd4bhYtCntQ hjjz38ym/scMcgKL9YmqbpckdAvKT6J1xpGpUnPML0SfLscB0enwxuyHW5yWHmGd pc7V5RRbQtvE/fqj75t2LtQLBHNca5SbZZz+pOJ/Fy8tS9v5PCatdMFU4tzhMjh/ 9KbTKqq9STyJ2CMo7SS/dEL3ya9bOVt6+AHN7MHw7QZqa4oUIwOA4HDzuUigSEtP isF1cvzy1nmkNOVA5Z2gspF8atD3HdzbxgOFs6iMAlVtbCKJrmLFVS8bYkBjt85y 11Y58e+Jphitu6FQS0syLLqbeErJg==
Received: from iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta03.appoci.oracle.com [130.35.103.27]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 40x0rtwbr1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 16 Aug 2024 20:42:47 +0000 (GMT)
Received: from pps.filterd (iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 47GJgYBg007185; Fri, 16 Aug 2024 20:42:45 GMT
Received: from nam04-bn8-obe.outbound.protection.outlook.com (mail-bn8nam04lp2041.outbound.protection.outlook.com [104.47.74.41]) by iadpaimrmta03.imrmtpd1.prodappiadaev1.oraclevcn.com (PPS) with ESMTPS id 40wxndu3k7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 16 Aug 2024 20:42:45 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=fMVmc75zndlTb4GVtcoh4fHsye9GiHVY7MWUnEJoXrGk1DuVjsvBUUF4RcmSGo1aD8FOJnfsemr4DECTNayVHyhtJZ7w2pck2/PPR9D1CJuPwmnZ7Qc6o2WYjfJFnPEQJEKus44LZWbxkcO1UuraeYE+Dd+PwQZTCa3/4PKM8zhiFuepwdB/Gdp/j4z6dnNdDkpv/weeqh58t8o1DKqofZVUHK511EiC+Heu2SwQEiNsyGOTWw1qNgBSggZpc+54dYtvQiCiKQevKj3Q90ai71bqq2ENYLVN8w22AQxo4waSNTco3Um0AZIgqMnD9xxWKV6Pz/JnqHQlvH6d8mNSew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gIJAzsoUtCW9Evm1C67lMYHMADCI5jdlaRHHLAbz6Rs=; b=ONHtF17uAVeEYEUJzVxswRWQBV99kw3YvNc+ucim19Vrob7ImzOAGLL/aVxjy5uqj3mdqn81kYUp1ChziZ6EWUFbMrk6VsHwo1QNQ/gIMPPXQY+J3V8KOWPmPSXsF9JeScmzYB50U2n0Ol9IDeGN2wc57JpYJXWfBRTrudIrRYnG7OcuxnJX35l+h9dGJNnEdGd/e5XemEZ8IIxegJmY6Da6TgTV0EIGMDCrkBUPc4OwOguxPMykZcTUcjY+9dBkgtm+Ft+8LvBDfo064YwpctlgBqbisCDKLdQC9p3N80Z+ElySws6/VWVER28njXExDySTGflcQpFjOGj2lJbRPw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gIJAzsoUtCW9Evm1C67lMYHMADCI5jdlaRHHLAbz6Rs=; b=gnM5UYsYjailhYPE5vP6onGmSrb5Iu+TrsfkjfMZrtn8BLv4RM8GrGBDSKd03KlQLKzv9+NObRU+beXa3zcxaYUhQmmgLb6LvASiX5lPN3wb2QmUGRoj0lUOrb9pkN7Fv2JZxzztNWGPIXdb5pQ7ck54scOlQob9UkYsxMlWh6E=
Received: from BN0PR10MB5128.namprd10.prod.outlook.com (2603:10b6:408:117::24) by PH0PR10MB4614.namprd10.prod.outlook.com (2603:10b6:510:42::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.10; Fri, 16 Aug 2024 20:42:43 +0000
Received: from BN0PR10MB5128.namprd10.prod.outlook.com ([fe80::743a:3154:40da:cf90]) by BN0PR10MB5128.namprd10.prod.outlook.com ([fe80::743a:3154:40da:cf90%6]) with mapi id 15.20.7897.009; Fri, 16 Aug 2024 20:42:43 +0000
From: Chuck Lever III <chuck.lever@oracle.com>
To: Chris Inacio <inacio@cert.org>
Thread-Topic: [nfsv4] Feedback on user ID for any bis work
Thread-Index: AQHa8BWrNrtJEdc2r0qVhwKK4PRia7IqWXiA
Date: Fri, 16 Aug 2024 20:42:43 +0000
Message-ID: <8CAD9D90-489B-45AC-A52E-6800E6AA0EAE@oracle.com>
References: <88CFBD80-2BAA-43AE-8AA5-C032C2761266@cert.org> <DCD380BF-74D5-4FED-94EA-EC995A9DB164@oracle.com> <CAM5tNy7ELwEbE5z_VMC0ghePcMzkHAcEJDs4skvnxH4XJpeWLA@mail.gmail.com> <B0F6BCDA-CAE6-4985-AC0D-9DCAAEF68241@cert.org>
In-Reply-To: <B0F6BCDA-CAE6-4985-AC0D-9DCAAEF68241@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3776.700.51)
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN0PR10MB5128:EE_|PH0PR10MB4614:EE_
x-ms-office365-filtering-correlation-id: 52cc508d-219b-443e-58df-08dcbe33faba
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: JSbtJqvf+qj1ef78HNnQ6FiwDu0yM9IKtmusb08fMNXOm4CUhm8Ba4NgRIlEDak5bI/5vGaBP5KSRZrSJqQorSALjC5bmfNE8mGbSczv8e2DkM4dK1skO9SqPOdZkrK2jrYofP+W1XO4YBQT0MwsKlBmhgiUbEYGGDFZ52H7lQ26QWsOWJIh/GzWsNFa9eOrnXRkZyZSEkA/omDinUTM0a1q+G7WdeAR0+CKlJP9LK4GTrHE3bS/0M5Pgv8PE2mXJ2XYDewUTn/5n0s6r0YzOgSY/LA608CxkoAuTHPA/mqDjPaa6TylBuUkLlUPUzoXIgfBr/om8f42+nccm77ZY7+5DzChdmI9ux0Q5M45iOosDIy22I5UrBguNdxCAB307Aon/AVC05yo/VHKBpUXI+MKJEoxGyk9mEe1UqZ13sHK0DsjIrq4qWINhkKz+V1PBzak/tABivjXlmJ+V+xcVyhkUpwnvhE20p88Axxf1gDqxXf1NpZisWTits/evXFnd5SCriGsCk8aFKYK/1ABkfzipxhE0tpa2AjlLcRikDR7kd+I9KM0HX7dSJ7AIK7rYrEC3i6q+ndRyW3ZX256lYnV25pPGSDO5jDArwSE8U+a2tMJ+OAE6LhxOqT47gdnvlU9UXrmk3SE3sZaP7QXlATH+hKb6VAvHQxiWcEby4vrIYUU+TPyexB7qqOb2L2D4qIdAY0r3xjCwXFn5ubgUZ0HTpJJYThqs1TKW/v1Fo2xJ7krVEou8yiMbMYoBedYtWb8dPiwdRTaua/ev4DzCpIKkXTTnIGEeyO8IFi1RU3YsdCbPs3OOtvwGf3fF7Bet+NFhFkwznEBCwHxQm462mZzaUTcMY+cyXYiBkItOzUkFLil25yZ6X37WrvXYYo8bHfqQSDN38oVANjlmv/udGl3MnStArkxRq5GfSeJ1SgVf3Q1Fye2L7chm9p8gBBWpzHxiQyuqGvmQjThOSN5WIv2tNNUOoT28KnZjxrgiQQiE0dwI6nrpsCKVSugSq8pNvxSmi7Z2MUfjl3YrudBfnXhC0HHb0Whk6KhPrOTFxizhLTCqRI4MddCMFVKkSW325+GAPalw435CEbOP1xdXoveuyObojOsFPiI5iPlQmxZ9tlDfBoY2VsyoK2LvDbHs1dcYcsuPToW25wFHvnAzVe0AhgvmqBtrTY9jvtM/J/mknjhhNVDoeD2OO9R9/U71Ie3uwV/HTXctDTC1V2iazJNYxR6gQx81mlfI7YVPpXctPoZeR+uKTU9s5MDdMjGPpt0dEY9XsnTQvvNlkJfwsxnoFPCaHxabal9j4Z5TEX+YT1g71St3hc400EKHtW6cKz3RI9HTl0Vs02QRHa1T8aGQoHv69a5/BCjDoDcwb9/8bfB3/AJbSLjBp3S4ZgQnANud3+1p63nllkEazSNbQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN0PR10MB5128.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: qYljU69iLGoGNx3cJvEYgT4WkWj4T2ZvugCpN/etQkTjgZ8u1RYsnmu1M4RPooIo8UKSFyEFngBGhBQ84JJqMP+nJxo9DDIMsiMvy+dojIET5y5iAjzedgccy+yQEjccfq6IJY2X25NtHazTO6EFDt9fbhi8LybEf87O0AwOkHJSU0cqW+AR1/kDpgWSSVFSAh331r4d9+PMAceO0+NUcPLq7WHVf0AupFBJTza0CxBnihQfL7ch61Ij5+Dc7W9HopTHsiV5IJbBzz/nnxUhkFql1UUcxpO5JoMPD3ZstSZakMTSMHY/MQcatryZ5oJ0I2YYO4bHG2DB/AepibHLDGZU9MLoyEPRXeUkGItUCpxqf2O/eKkABBNrmXTk4KtGS+rmOMfrB3cpIYNS6t5wlOoj4F9NDR7gH2d1Fu+2qWY5r5Eg23UpPrjz+DM10GREtC/KPqNgUIDhM4HiCVgu8GlIgE+mIm+04lUExebrK2+SshfkT8e8m5oIzXWBaE5xaHRc2W8Nr/A1oI/ICQ7rjJC8WZoj+XCXJKsWJJu0TQ+E1CovrqFtbiKhoaMxenUE7uGPYPGz6kKU/hcofEo9BYK5X4vZV0VoEslTONAZ/3WmAVs22EQsfEP40jIAbbQziL/ZY51lQPO3hW7mR35L8v0rKxk/ja1ZbmqoYk3KldLquDpP9oK4HaVlnJFkQ4dTJ4yWaQL9NHxjKaylIujI+/ty9QBM3z0EMhxLuSxhhmh/PESScfg+9BJyhSaK/6mQRsNTgzhjjpDxctz6fllSAE+gBLVU/On6NzbDYwG7oOpRz+RN5CT9aRBXsx0M6dAT0uvLMO/tnd1T/s8SgxMnEvCcbwcg+yIeBMXH3T9zHOMdzhRKdPnw11/yyEElmEFp4+BPKmLrj3fbW6DN8IbJ1ylZVYWrif+NcReq9eu20U/EHMLKzICxzNO0xPIZM2xMVqR9kAIvZvX7Xt1BnQEEJAgPlRVzcnwJ4Rj5W6I4MNcpEq75Yyx4jWr8vZBW50t0lQOzaSAaSX4mF/BmhwsuW7wT1QXklyciEEWTKKI9iKRQTPHRp4UzZoduaTCCCzY8L3AxtpYV2aj9HWGNPOaYYNzadNRkE5URD8BFxUk4EQ5qXvrx8OjSFGPMJtHYjNZKa1feeezXGFWIJUnAiCIgauVPzWbbya0Wl2VyByAztHt5JLxjM4pVKzCyi7tlVkhknUJvpjnVO8RmaaHFMZaqHZMjtAjAw+LG4VkXcDto1Qxb+68LKvxejQYC4Cqm1p5/Nfq6qEZtZv6eOr6Pz/ObRg/U5SLgAWAdoD8fOsGnmKlIQmt7jkTpQYSyi1xPmQSZYbWD6Qfor2JJg69125HS/rFcmAWGiivZqIZZjtZs/h9p91xANRi+qxnL2D44BIOMoRWSUX+gcoZj+vWSbDPLijYAUBZmFVVL5ooWwNybO66fQQjgsBrr/W+YdoIByXg7bwEwO7Hn+o/T21b/vX+wGT5B/jYq5xPRGBPWahy2O8mr2Rlnj8cYlKTrLK//KayD/qms0DrURL2GEgEpGpVOv/eky6E5kjTCImmJCekdI3RzHjijpzgHxBFboNQpuoUStQ9tbFiJQ47Xqr8onUXg/Q==
Content-Type: text/plain; charset="utf-8"
Content-ID: <E6E73E584552A342B8CEAF4E567A781B@namprd10.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: USNMNUnJwm6kvDaoM9D4UpjaZN/xoXpGJ93qN2bB5QTQFSygj1K9cK6fDPPA56v/1juEIkWbKzufK/rmaOxeekNqAVjZxP5DpwAplbagRDT32l35Em1uHmjS8YB3ZyQiHxc7qLaGtVscYeyCrwQYw5vv95idunPAYo1MKl3+yKMc534viL8zcSwGfa8y7DB1KP5p5tXSyQqSzr6gb1T66P7fNqveriOG2xvTQrtCRR1jCcIlJzD4QrgjZxdhnPouLPdX7rzQJPF2IrVuqyr6dy0wre2zgIgVqxNr0yuZjSCUcjIREz9wFc96FrZNg6xC2VJ8x26HXbwZz6neYUp/2m4RGQBTvo2Ypl6d8Usupzl5Jm4IA2EYeH5mnLJtd2j6mRMTFP6zPgCsrGoDwW8Stles0XnnoVz30p2YXCgODWGVCpnkz52otnG1sZPKmhRduuAUMIqddxQiCPQ4Ln3YPNhZkU/hEojpAERrTpmLr9E7Y8rk12Mgv6Q2DTD83LPLts4D1qGIyaBdNsH6axOPHmW2nLeLdKWRucFk7K5Ugwgdb8QqcLaOoM8HiZJlxInDWQv6r5PsXeWCsa61TKnrxeX9bvOImbrw+HDoX4Lm2iA=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN0PR10MB5128.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 52cc508d-219b-443e-58df-08dcbe33faba
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Aug 2024 20:42:43.8818 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dDKJd9xl1RlW5mpzABt96AiiN36B1DJvQS4+FnRITCdoODIREmA/QXP+tc9DgPMsqwedhU1qaqNOdfWAwamgXA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR10MB4614
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-08-16_16,2024-08-16_01,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 mlxscore=0 adultscore=0 suspectscore=0 mlxlogscore=931 phishscore=0 spamscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2407110000 definitions=main-2408160146
X-Proofpoint-ORIG-GUID: uhbcX0-tBQgVYGzt-Twch0f5CE0yZOzT
X-Proofpoint-GUID: uhbcX0-tBQgVYGzt-Twch0f5CE0yZOzT
Message-ID-Hash: NKJMBYLEAELUWN6JUZVMWHQRODB3YNVG
X-Message-ID-Hash: NKJMBYLEAELUWN6JUZVMWHQRODB3YNVG
X-MailFrom: chuck.lever@oracle.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: NFSv4 <nfsv4@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [nfsv4] Re: Feedback on user ID for any bis work
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/quwEt7n3LJdajnlZEdFGazEneBQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>


> On Aug 16, 2024, at 3:51 PM, Chris Inacio <inacio@cert.org> wrote:
> 
> 
> 
>> On Aug 16, 2024, at 3:17 PM, Rick Macklem <rick.macklem@gmail.com> wrote:
>> 
>> Warning: External Sender - do not click links or open attachments unless you recognize the sender and know the content is safe.
>> 
>> 
>>> On Fri, Aug 16, 2024 at 9:26 AM Chuck Lever III <chuck.lever=40oracle.com@dmarc.ietf.org> wrote:
>>> 
>>> 
>>>> On Aug 16, 2024, at 11:39 AM, Chris Inacio <inacio@cert.org> wrote:
>>>> 
>>>> Dave, All,
>>>> 
>>>> INDIVIDUAL CONTRIBUTOR HAT ON - NOT CHAIR
>>>> 
>>>> We need this super brief conversation in one of the interim meetings about how user identity is communicated across NFSv4, and there are 2 options, UID/GID ‘integer's and then loosely defined ‘string’.  So I’ve been digging into this and I would say, most definitely, do NOT remove the string.  So what I can see so far, is that UID/GID numbers are used when auth ‘sys’ is the selected mechanism, where current the string is used when auth is tied to GSS-API.  As far as I can tell, the kerberos principal name should be the string in the field.  I certainly don’t yet have a full understanding about how everything is connected together.  (Just sending the principal is nice and everything, but you want to be able to verify it, and HOLY RAT HOLE ROBIN is that confusing in practice.)
>>>> 
>>>> So, the thing I’m trying to make sense of, how hard would it be to support TLS identities (X.509 certs really) instead of Kerberos.
>>> 
>>> A perhaps subtle distinction here:
>>> 
>>> The current RPC-with-TLS protocol uses x.509 explicitly only for authenticating
>>> network peers (ie, hosts). RFC 9289 even says "not for user authentication". So
>>> I think the term "TLS" here is probably misplaced.
>>> 
>>> You instead want to invent a new RPC security flavor or flavors that authenticates
>>> users (or, dare I say it, to extend GSSAPI to handle this for us) via an x.509
>>> certificate, or OAuth, or such like. Nothing to do with transport layer security,
>>> which doesn't know from users.
>> There is the specific case Chuck named "TLS identity squashing", where
>> the client's X.509 cert. identifies a single user for all RPCs done
>> via the TLS session.
>> 
>> This works ok for cases where the client is just a single user, such
>> as a mobile device.
>> 
> 
> [ci] That’s really interesting.  I’ll have to look deeper at that.  First order is that the tighter binding of user to host that allows that to work more easily?

Rick implemented this for FreeBSD, and I have a plan to implement
this in Linux NFSD in a way that is hopefully compatible with his
implementation. It is merely a convention of adding a user identity
to the client certificate's SAN field; the receiving server then
squashes all RPC traffic from peers using that certificate to that
user ID.

But I didn't mention it before because I assumed you were interested
in the more general multi-user case.


--
Chuck Lever