>I advocate being reasonable. If you (just as a hypothetical example) >prefer PAG to clean design - fine, but then do not call the resulting system >secure, as you broke the assumptions on which the semantics >of the system call set was designed (and still relies on).
The problem I see is that there are a lot of fuzzy terms being bandied around that are subjective. E.g, "clean", "secure", and "reasonable". Is my shared descriptor credential cache "clean"? Well, probably not ... most people would probably agree on that. Never said it was. Is it "secure"? Hmmm. Well, I'm not sure I know what "secure" means in this context. I would say it is MORE secure than a file credential cache. I have data that agrees with me on that assertion. But that's a slippery term ... I don't really know how more secure it is, and I know of no way to describe that in quantitative terms. Regarding the semantics of the system call set ... well, I don't see how what I've done changes those semantics one bit. >> might point out that the design hasn't evolved yet; that would be fair, >> but if we don't try stuff now we won't find what works and what doesn't. > >So I am helping the evolution by pointing out which things don't :) > >Many people seem to believe that PAGs are "right" and that all we need >is a suitable implementation which will make it work. >My point is that this is not exactly the case and that there are other, >more general hinders as well. It depends on what we're talking about when we say "PAGs". If we're talking about the magic groups hack that AFS uses ... well, I think no one is in love with that particular implementation. But it's worked surprisingly well over the years (except where OS developers actively work against the idea). And it has shown that the _concept_ of session-based credentials works reasonably well ... not only does it increase security, but it tends to make AFS behave in a more natural way from the user's perspective. If we're talking about credentials associated with a login session, then I think most of the people who have used something like them find that the semantics work well, are easy to use, and increase security. How much they increase security is a debatable point, but again that gets into the slippery nature of the word "security". You may point out that there are X ways to get around session-based credentials; I will not disagree with that statement, but I don't see how that invalidates the concept. You can continually argue that <X> has a security flaw until you come up with the conclusion that nothing is secure and you might as well just post your passwords on a web page somewhere. I don't think many of us here would argue that far, but you have to draw the line _somewhere_. >From your previous messages it seems to me that your point is basically, "Since you can get around session-based credentials all of these ways, you shouldn't bother doing it". Well, I do not agree with that conclusion. I respect your decision to make that call for your site, but I guess I don't understand your objection to doing what I feel is adding security to my site (I have yet to see anyone claim that session-based credentials decrease security). --Ken _______________________________________________ OpenAFS-devel mailing list OpenAFS-devel@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-devel
