>I will note that AFS PAG's do provide a much better model for how to >manage credentials. It's not perfect either, but I consider it a >reasonable minimum for what Apple should provide.
If you mean in terms of who gets access to your credential store, MacOS X does that now pretty good with the API cache. Those are segmented by MacOS Security Sessions, which give you the same sort of inheritance that AFS PAGs have today. The problem lxs was referring to was client credential _selection_ ... which is a tough one, since there are cases where it might make sense to use "another" client credential, it might make sense to do cross-realm, and there's no good way to figure out which one is "correct". AFS sort-of sidesteps this issue; you can only have one client identity per AFS cell, and pushes the whole "do I use a local credential or cross-realm credential?" question back squarely onto Kerberos's lap. --Ken _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
