Hi Greg,

On Fri, Apr 06, 2007 at 10:33:57AM -0400, Greg Troxel wrote:
> As a user I'd like 'cfs cs' to use my authenticated connection, because
> that verifies that the connection I want to use for data works.  Sort of
> like ping over IPsec.

+1 (i.e. agreed)

> Once a user does clog to a realm, then that uid/realm should marked as
> authenticated access only.  This means per uid bookkeeping on data that

Possibly "authenticated stuff only" should be the initial state, resettable
as you suggest below.

In contrast to the web, authenticated operation is natural to Coda
and the need for unauthenticated one will be limited,
due to availability of anonymous tokens via public-key means.

[Of course, pursuing secure operation without user intervention
we will face the usual problems of the PKI. Each user will have
to possess a keyring, but it will be in any case
not worse than it is with the web browsers now.
There might be also a keyring-per-client with some certificates,
but it should be the user who decides which certificates
or public keys are to be trusted, not the client administrator.]

> it was authenticated.  On cunlog, unauthenticated access could be
> allowed, although we should perhaps split
> 
>   a) get rid of my tokens on this machine
> 
>   b) (a) and flush the cache of all my data
> 
>   c) i want to use unauthenticated access
> 
> So perhaps a 'cfs unauth realm' to remove the 'uid/realm needs auth'
> status.

A good point.

Now, dreaming about this world being better than it is:

(b) can be a little tricky and should probably mean
"all objects I but noone else have fetched".

If a file was fetched/verified by someone else as well, then
its removal from the cache should not be governed by your personal decisions,
the other user has "implicitely told" Venus that she wants the file to be
present in the cache.

With other words, purge if
1. the object's user count is exactly 1
2. the object's only user is your uid
otherwise just remove your id's tag and decrement the user count

"the object's users" above is meant to be a set of tags about which uids
agreed upon the contents of the object by talking to the corresponding server
via each uid's own connection (it doesn't matter whether the connection
was authenticated assuming it was the user's choice).

Regards,
Rune