The approach we took in nfs was to do the crypto (encrypt, decrypt, sign, etc) in the kernel for performance, and the rest of the stuff (kerberos protocol, context generation) in a user space daemon. The kernel part is a wrapper around the kernel's native crypto. Right now this is very linux specific, but it doesn't seem to me it would be that hard to provide wrappers for the platforms we support. Especially if we can decide up front that afs will only use des (for backward compatibility) and aes (for example).
In my wildest dreams, the user daemon (gssd) is portable and runs on linux, bsd, solaris, and anything else we care about, and supports both afs and nfs. But then I wake up and realize that won't happen in our lifetimes. Even though CITI controls gssd and is involved in both nfs and afs. _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
