On 14 Feb 2013, at 22:15, Benjamin Kaduk wrote: > jhutz notes that in order to go from the nonce returned by > VL_RegisterAddrsAndKey to an actual key, the caller of the RPC needs to > perform PRF+ with the master key (K0) of the token of the connection and the > two nonces. The other uses of PRF+ are in key derivation for packet > processing and for token combination; the key itself need not be exposed to > security object consumers otherwise. Using a separate utility to register a > new fileserver and key would preserver this property, which is probably > useful.
I'm not sure how it being a separate utility, versus the fileserver, helps you here. Whatever happens, the rxgk library needs to provide either a means of getting K0 for a particular connection, or of performing the a PRF+ operation using a particular set of inputs against a connection's key. Changing the caller from a bit of the fileserver, to a standalone utility doesn't change the need to export that information. Cheers, Simon _______________________________________________ AFS3-standardization mailing list [email protected] http://lists.openafs.org/mailman/listinfo/afs3-standardization
