>Depending on people who insist on rolling all keys every 6 months *and* >continue to ignore DES-key brute force potential to continue to give you >money is not a position I would want to be in.
EXCEPT for cross-realm keys, it's easily automatable, and quite honestly it's not something I even disagree with. And you would be incorrect that the DES key brute force issue is ignored; our AFS service key is the only DES key in our KDC, and we have to provide a justification for it every time we get audited. >My take on the political layer obstacles to cross-realm is to figure out >a way to leverage DNSSEC in some way to facilitate no-administrator >intervention cross realm key exchange. Sigh. I understand the temptation to solve political layer problems with technology, but I think you're missing the bigger issue. I don't even think I could explain it until you've been sitting across the table with the administrators of another organization. My advice? Go ahead, give it a try; let us know what you come up with. But getting back to the ORIGINAL point ... there's no reason we can't use cross-realm for us, today. In fact, we should. So why don't we? --Ken _______________________________________________ OpenAFS-devel mailing list OpenAFS-devel@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-devel
