On 7/31/2014 11:20 AM, Benjamin Kaduk wrote: > One might ask why we permit such gratuitous behavior differences across > our platforms.
Very simple.
1. There was no functional Windows client before 2004 so there
was no behavior change to worry about.
2. The choice of whether to active "fs setcrypt" is determined
by the distribution in configuration. The Windows default
to use "fs setcrypt on" is provided by the packaging.
3. The Windows CM has received from IBM was already more secure
that the UNIX CM in that it performs authenticated queries of
the VL service. That wasn't an OpenAFS change.
Changing the behavior of the UNIX CM to use authenticated VL queries has
been proposed in the past and received substantial push back from some
very large end user organizations that were worried about the impact on
VL server performance.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
