alfs authentication protocol: requirements

pak_lfs at pak_lfs at
Mon Nov 28 05:37:28 PST 2005

My requirements from the alfs authentication protocol, please comment.

1. At all times, the client must be sure that they are talking to a specific
server and not another random machine which just looks like this server and
seems to have the same ip/hostname. (Identification).

2. At all times, the server must be sure that both it is talking to its *one 
and only* client *and* that behind this client is its *one and only* 
administrator (authorization). In particular, given that whoever manages to 
impersonate the client/admin combination gets in effect unlimited privileges 
on *all* the servers, this must be *much* harder to accomplish than 
impersonating the server.

3. For this protocol to be convenient enough for its typical use case (one 
client multiple servers), there must be a *single* authentication token 
authenticating the client to all server. I.e., the admin should not be forced 
to supply a different password for each server. More generally, the amount of 
authentication resources (passwords, keys, certificates, whatever) per 
machine must be kept to a bare minimum.

4. The protocol must be largely based on existing solutions as much as 
possible, in order to be implementable. We don't want to reinvent TLS, as I 
don't think we would improve it. On the other hand, we want to keep the 
number of external dependencies as small as possible (most probably, at most 

5. Some users, in some cases may use this protocol over slow lines (e.g., It 
happens several times that I would have to do administration work on the lab 
machines(alfs servers), from my laptop at home, through a lousy 56k (god help 
if its even 56k!) dialup. So, reducing latency and keeping roundrips to a 
minimum is a *good thing*, though I realise that this requirement has the 
lowest priority.


____________________________________________________________________ - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. - free email service for the Greek-speaking.

More information about the alfs-discuss mailing list