Hello Greg.

On Fri, Mar 11, 2005 at 09:16:16AM -0500, Greg Troxel wrote:
> Here, your concern seems to be that the client can be sure that the
> bits in the file, and the metadata, have been authenticated by the

Exactly.

> server.  To really do this, you'd have to keep track of for which user
> a file was authenticated, since one user can't know that another's key
> isn't compromised.

> One could use the SHA-1 hashes to avoid refetching the file, if the
> issue is just authenticity.

Very good points!

Essentially venus should not let a user access a cached
object unless it has verified the hash over this user's connection.

As Venus already does token verification and access rights caching,
it should be a rather trivial change. (Jan, wouldn't it?)
If we explicitely disallow application of System:Anyuser rights
when an uid does not have cached access rights, it will be safe.

If we'd implement another change I was pleading for
(e.g. http://www.coda.cs.cmu.edu/maillists/codalist/codalist-2004/6811.html)
to avoid expiration of the cached rights at token expiry,
then it will be convenient as well as safe!

> FWIW, I use IPsec from clients to server, partly for this, but mostly
> to get real confidentiality.

I want to be able to walk to any reasonably maintained computer,
whose administrator ran "coda-client-setup" once, use Coda and feel safe.
It is perfectly possible, isn't it?

For the moment IPsec may be the only option, but I don't think it is feasible
to expect IPsec being setup in a proper way everywhere.
And I would like to avoid it myself.

Best regards,
--
Ivan