On Sun, Oct 07, 2012 at 06:43:10PM -0700, Gary Buhrmaster wrote: > On Sun, Oct 7, 2012 at 10:28 AM, Troy Benjegerdes <[email protected]> wrote: > .... > > My take on the political layer obstacles to cross-realm is to figure out > > a way to leverage DNSSEC in some way to facilitate no-administrator > > intervention cross realm key exchange. > > We all look forward to your RFC.
Before I bother with an RFC that nobody other than me cares about, I'd like to see gerrit.openafs.org *use* the following RFCs, so that I can trivially log in when authenticated to my own local cell: http://tools.ietf.org/html/rfc4120 http://tools.ietf.org/html/rfc4178 http://tools.ietf.org/html/rfc4559 If given a database dump of the RT database backing rt.central.org, I can attempt to set up a test version that will allow any realm with manually configured cross-realm trust to log in. Once I am tired of manually configuring cross-realm trust, or phone conversations with admins unwilling to configure said trust, then I will implement some code and finally, after that, propose an RFC. At this point, all I know is I've set up an RT instance that DOES allow properly configured manual cross-realm trust, and I'm reasonably confident I can do the same thing with a clone of the rt.central.org database. This is all on the 'when I feel like it' timeframe. If you would like to see an RFC on a sooner timeframe, I am more than happy to discuss a professional services development contract off-list. On the email list, I am particularly interested in constructive criticism that might help me understand what I'm missing, and make better use of the 'when I feel like it' time so that the work I do ends up benefiting both myself and the rest of the community. _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
