(Illustration by Gaich Muramatsu)
I am a bit concerned about letting anyone with expired tokens to access things as System:Anyuser. As System:Anyuser means tokenless connections to the server, I may miss when my tokens expired, and unexpectedly lose the guarantee of server authenticity. I have the guarantee while I am using authenticated access (at least as long as nobody else fetches the objects before I do). Given that we are using xor this is a bit iffy now, but I understand the desire to separate architecture from crypto modules. Here, your concern seems to be that the client can be sure that the bits in the file, and the metadata, have been authenticated by the server. To really do this, you'd have to keep track of for which user a file was authenticated, since one user can't know that another's key isn't compromised. One could use the SHA-1 hashes to avoid refetching the file, if the issue is just authenticity. FWIW, I use IPsec from clients to server, partly for this, but mostly to get real confidentiality. -- Greg Troxel <gdt_at_ir.bbn.com>Received on 2005-03-11 09:17:45