To those who are interested in DCE and/or AFS :
In AFS and DCE 1.0.x, if principals in cell A want to access servers in
cell B, then A's AS (authentication server) must register itself in B.
If A's principals need to access a set of foreign cells, A's AS has to
register itself in all the cells in the set. This is in general an O(N^2)
problem, where N is the number of cells.
DCE 1.1 is going to provide a solution to this problem in the following
two cases:
1. the client's and the server's cells are in a hierarchy, or
2. the client's cell is in a hierarchy of cells and the server's cell is
in another hierarchy of cells. The two hierarchies are independently
administered. An ancestor of the client's cell cross registers with an
ancestor of the server's cell.
In both cases, the hierarchical relation among cells implies trust among
them. An independently administered hierarchy of cells usually reflects the
hierarchy of an organization. So DCE 1.1's solution reduces the complexity
from O(N^2) to O(M^2), where M is the number of organizations. Since an
organization may have many cells, M should be smaller than N but may still
be quite large (each family or individual may be an organization in the
future).
No solution is provided for the more general cases :
1. when there are no implied trust relation among cells,
2. when the cells are not arranged in hierarchies, or
3. when a client needs to traverse more than two independent organizations
to authenticate itself to a server (the O(M^2) complexity).
We think such cases will become more and more common as DCE (or distributed
computing in general) gains popularity and as high-speed, high-bandwidth
digital network are put in place. Some possible examples are given below.
It should be noted that these examples do not assume any hierarchy among
cells.
1. when you are doing business in Japan and need to electronically transfer
some fund from your U.S. local bank to a Japanese local bank. Neither
bank knows nor trusts the other but they both trust a big international
bank.
2. when you provide information-on-demand through the (future) information
super-highway. It is unlikely you can directly register/authenticate
all your potential customers. You have to rely on other parties whom
you trust to do it for you.
3. A special case of 2. is using DFS/AFS to provide collections of
publications (say, TR's on different topics of DCE) organized in
remote-mountable file sets. Any interested parties can mount and read the
files, fees may be charged on a per-mount basis or per-open basis.
We are working on a solution for the more general cases. We would like to know
how much important/needed this solution is. Is it worthwhile to make it into
POST-DCE1.1 ?
Any comments/opinions are welcome. Please send them to
"[EMAIL PROTECTED]", cc "[EMAIL PROTECTED]" and "[EMAIL PROTECTED]".
Thank you in advance.
Pau-Chen Cheng
Shyh-Wei Luan
