Self-certifying File System
In computing, Self-certifying File System (SFS) is a global and decentralized, distributed file system for Unix-like operating systems, while also providing transparent encryption of communications as well as authentication. It aims to be the universal distributed file system by providing uniform access to any available server, however, the usefulness of SFS is limited by the low deployment of SFS clients. It was developed in the June 2000 doctoral thesis of David Mazières.
The SFS client daemon implements the Sun's Network File System (NFS) protocol for communicating with the operating system, and thus can work on any operating system that supports NFS, including Windows. The client manages connections to remote file systems as necessary, acting as a kind of protocol translation layer. The SFS server works similarly to other distributed file system servers, by exposing an existing disk file system over the network, over the specific SFS protocol. On Unix-like systems, SFS file systems can usually be found at /sfs/hostname:hostID. When an SFS file system is first accessed through this path, a connection to the server is made and the directory is created ("automounted").
The primary motivation behind the file system is to address the shortcomings of hardwired, administratively configured distributed file systems in larger organizations, and various remote file transfer protocols. It is designed to operate securely between separate administrative realms. For example, with SFS, one could store all their files on a single remote server, and access the same files securely and transparently from any location as if they were stored locally, without any special privileges or administrative cooperation (other than running the SFS client daemon). Available file systems will be found at the same path regardless of physical location, and are implicitly authenticated by their path names — as they include the public-key fingerprint of the server (hence why it is called "self-certifying").
In addition to the new perspective, SFS also addresses some commonly raised limitations of other distributed file systems. For example, NFS and SMB clients have to rely on the server for file system security policies, and NFS servers have to rely on the client computer for authentication. This often complicates security, as one compromised computer could breach the security of the entire organization. The NFS and SMB protocols also do not by themselves provide confidentiality (encryption) or tamper resistance from other computers on the network, without encapsulation layers such as IPsec.
- David Euresti (August 2002). "Self-Certifying File System Implementation for Windows" (POSTSCRIPT). MIT. Retrieved 2006-12-23.
- David Mazières, M. Frans Kaashoek (September 1998). Escaping the Evils of Centralized Control with self-certifying pathnames (POSTSCRIPT). Proceedings of the 8th ACM SIGOPS European workshop: Support for composing distributed applications. Sintra, Portugal: MIT. Retrieved 2006-12-23.