Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!cs.utexas.edu!sun-barr!cronkite!exodus!argon.Eng.Sun.COM!db From: db@argon.Eng.Sun.COM (David Brownell) Newsgroups: comp.protocols.nfs Subject: Re: group permissions when root Message-ID: <15886@exodus.Eng.Sun.COM> Date: 27 Jun 91 05:36:59 GMT References: <7958@spdcc.SPDCC.COM> <15542@exodus.Eng.Sun.COM> Sender: news@exodus.Eng.Sun.COM Organization: Sun Microsystems, Mt. View, Ca. Lines: 46 Bcc: db Recently, jim@cs.strath.ac.uk (Jim Reid) flamed "Secure NFS". It's not perfect (is anything?), but some of his comments were off base: > It has a better authentication system, but not much better. For one > thing, NIS (Yellow Pages) is used to distribute the keys. You might as > well announce those keys on peak-time TV for all the "security" NIS > offers. Of course, that's the virtue of a public key encryption system: you can distribute the public keys freely, like on a CD-ROM (or even on TV! :-), and it doesn't matter. This isn't a valid criticism. Ask sci.crypt how exponential key exchange works. > For another, the actual file data being read or written is not > encrypted. It still gets passed in cleartext. This wasn't the problem originally being discussed, it was the ease of spoofing servers. Providing confidentiality is hard because of the US export controls on encryption technology. I can't think of ANY widely used network system that's secure against eavesdroppers. The market in this area has been restrained. > Finally, the so-called > secure NFS requires DES hardware to work at reasonable speed. This > makes it almost unusable outside the USA ... Speed wasn't the point ... but I'm not sure I'd agree, either. A few years ago, I set up a bunch of 2 MIPS machines to use Secure NFS using an exportable OS release and no DES hardware. They were slower, but quite usable. (I know, "reasonable" is subjective! Let's say I just took slightly longer coffee breaks after typing "make".) > ... Uncle Sam doesn't > want the rest of the world to have access to DES hardware. .... or DES software for that matter. If you're a US citizen and care about this, write your congress(wo)men about this one. There's a chance that some of this stuff can change over the next few years: there are going to be some hearings later this year (Senat Judiciary?) about privacy and technology. Encourage Congress to move this stuff off the munitions list! - Dave #include