From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4842a6629d0318a83274fbbf07c64c2c@vitanuova.com> To: 9fans@cse.psu.edu Subject: Re: [9fans] an idea From: rog@vitanuova.com In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Date: Mon, 26 Apr 2004 21:12:29 +0100 Topicbox-Message-UUID: 6efeb48a-eacd-11e9-9e20-41e7f4b1d025 > from the third party server's point of view. > if you authenticate to a server, and use that to connect to another server, > that server must trust the first server to speak for every user it sees on > the connection, and it must know that. i think this is a reasonably common scenario. > thus the multiplexing might as well be just as in Styx: different user > names [whatever that might mean in a larger context] label the Tattach > messages on the connection. that assumes, i think, that authentication is homogeneous throughout that system (i.e. that one agent can authenticate all users uniformly at the outer edge of the system). i'm not sure that's realistic. in the simplest case, the first server is the kernel, and i find it reasonable to trust it to speak for every user i authenticate as. if i trust the kernel, why shouldn't i trust other services i have started up, in the same way? there are occasions when i might extend the same level of trust to other machines too. from the server's point of view, it should not trust in-band authentications along a channel that has not been end-to-end authenticated in a way that it trusts. that's a matter for whoever is arranging the topology of the system, surely?