On Tue, Jan 16, 2007 at 04:52:11PM -0800, Gary Winiger wrote: > > Apple Key Chain is nothing like Kerberos or GSSAPI. > > I wasn't saying it did. I was suggesting that perhaps Roland's > point was that if a Krb5 ticket or gss_sec certificate was > obtained, that could be used to unwrap the encryption key. > > Since Roland hasn't followed up. I guess it's moot.
Distributing filesystem keys in network credentials. Sure, we could do that. It'd be a whole separate project though. Also, RFC1510/RFC4120 Kerberos V tickets don't have a way to deliver secret information to the _client_ other than the session key stored in the Ticket -- and that cannot be used as a filesystem key. That would have to wait for RFC1510ter (Kerberos five dot 2, so to speak). In any case, directly sharing your fs keys with a trusted third party, like a KDC, has its pluses, but we should probably consider other key escrow schemes as well. Nico --
