Proposed new services

• VPN: ITS requires stupid, proprietary, buggy, insecure, third-party-patch-requiring Cisco client. Also, you have to sign up for it separate from ITS account and it's slow and problem-ridden. It would be nice to support vpnc and/or openvpn over a secure connection. This could also encourage wider adoption of UGCS usage.
• IP over DNS: It would be neat to offer IP/VPN over DNS for people stranded in airports, etc. The basic premise is, those pay for intertubes services don't generally restrict traffic over dns port. In fact, most simply ignore the port, leaving it wide open...so you could simply VPN through the port without any additional layering and it would work in many cases. Maybe write quick little client and give instructions to people so it's mostly L-user proof. I'm aware the connection would be /very/ slow, but it should be enough to ping you email or for light web browsing. (We'd use VPN for auth) I'd want to offer two levels of tunneling:
  • just connect through that port, no further tunneling
  • tunnel all traffic through validly formed DNS packets in a "slow, more likely to work" mode
• Strongly integrate single signon with other undergraduate organizations. No reason why clubs should be writing their own auth code if they don't want to. Make it easy and quick for other clubs' sysadmins to use our system for auth (it should be quite easy, esp for password protecting webpages, if you have apache kerberos module and .htaccess). The must crucial of these is, imho, donut. We need to promote this service, and as virutally everyone will want a Donut account it would be great to make it "if you have donut you have ugcs" and vice versa.
• Integrate pgp with accounts. I envision it working like this: When you create a new account, you have three pgp options: Upload your public key, Have the server create a PGP keypair for you and download them, Proceed without PGP. We don't want to force people to get PGP as it would be a burden, weaken the web of trust etc, but we should advertise the benefits and make it very easy (in particular, the benefits of getting it NOW 'cause then Caltech is a node in the worldwide web of trust, giving you a good position if you ever want to validate/be validated in the future). Additionally, we should create a UGCS signing key, and use it to sign people's keys. We could even have a check box "look me up in person to validate fingerprints", or invite them down to UGCS, or just do it based on the trust that if they control the ITS account and are creating an acct in the first place they really are the person. In any case, it would be a good idea to do this.