On 7/31/2014 11:20 AM, Benjamin Kaduk wrote: > One might ask why we permit such gratuitous behavior differences across > our platforms.
Very simple. 1. There was no functional Windows client before 2004 so there was no behavior change to worry about. 2. The choice of whether to active "fs setcrypt" is determined by the distribution in configuration. The Windows default to use "fs setcrypt on" is provided by the packaging. 3. The Windows CM has received from IBM was already more secure that the UNIX CM in that it performs authenticated queries of the VL service. That wasn't an OpenAFS change. Changing the behavior of the UNIX CM to use authenticated VL queries has been proposed in the past and received substantial push back from some very large end user organizations that were worried about the impact on VL server performance. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature