On Fri, 23 Mar 2007, Jim Rees wrote:
Robert Banz wrote:
I know that this would be an "rx" change, but doing something like an
anonymous DH exchange with servers the first time you talk to them
would allow you to create a connection that would be resistant to
this sort of hijacking.
Yes, but if we're going to change something, I think it would be useful for
the client to authenticate the server. If it doesn't, I don't see that
we've really improved the situation.
This can be done without requiring a large number of clients to be keyed.
If you don't see that as an improvement, um, I guess we have a disconnect.
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
