Adam Megacz wrote: > Yes. One facet of what I'm getting at is that users should be able to > use face-to-face interaction as an authentication mechanism if their > AFS admins wish to allow that in their cell. Right now there is a > technological barrier to this policy option.
I really think you are confusing the authentication and authorization issues. AFS does not manage identification. That is performed by whatever authentication system you are using. If you want to setup an authentication model that allows identities to be issued based upon one user in your authentication domain vouching for another, by all means implement a web interface that allows that. However, this has nothing at all to do with AFS which is simply a service that relies on an external authentication service. As I have pointed out numerous times this past week, if you can control a DNS domain then you can deploy a Kerberos realm and as the administrator of that realm you can implement whatever policy your heart desires. I have also described how you can use authentication services other than Kerberos with AFS by implementing a token issuing daemon that accepts your authentication mechanism and returns a token to the end user. The new Network Identity Manager that is being shipped with MIT Kerberos for Windows and will be distributed with OpenAFS in a future release is entirely modular. You can implement your own "identity" modules for it that can support your authentication model. For Unix, you can implement your own command line tools and PAM modules to obtain tokens for your users. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
