[EMAIL PROTECTED] writes:
> Under DCE/DFS machines do have their own principals, with keys that are
> stored in a protected dir on the local disk. These machines appear
> "authenticated", just like any other user, although their user names are
> things like "hosts/milkyway/self". There is an equivalent of authuser
> in DCE, and these machines would be members of that group.
Here's some thoughts that I have after reading everyones
mail.
Since DFS will do it the way that AFS now does it, i.e.,
a host showing up as authuer, it makes more sense
to leave it the way it is.
Since people's intuition seems to vary on how this "should"
work, it seems to make sense to me to leave it the way it
is and allow people to deal with it.
Changing the semantics of IP entries in the protection
server just because one disagrees with how it's implemented
means for some of us, more work when we see those changes
in some future release.
I don't see the issue of having hosts show up in system:authuser
as a big security problem. Although I'll admit, it would be
nice to distinguish between machines and people who have
tokens with system:whatever special names.
Quite honestly, if I could set priorities at Transarc, I
would say this:
1) more than the 1K to 2K entries in a single pt group. how
about 64K as a limit that actually worked? 64K would last for
a while and guarantee that we'd have something to talk about
in the future...
2) pt groups within pt groups.
3) define a difference between people with tokens and ip addresses
in the pt server by providing system:whatever special names.
We can live with and use to our advantage the way it works
now. Sure, every site is going to have a different priority
list, but "drop boxes" aren't on ours, licensed software is
and system:authuser provides an easy to use, easy to maintain
ACL. And for us, software is licensed to machines, not people.
We probably will maintain pt groups that have the ip addresses
of our machines broken down by type, for example, ipaddrs.dec,
ipaddrs.sun,ipaddrs.younameit, just so we can ACL s/w a little
tighter.
It's items 1 and 2 from my priority list above that would be
really nice, and if in doing those you did 3 too, great!
< Paul
