It would be really nice to have good RPCSEC/GSS support in nfs.
The nfsv4 team at the University of Michigan are working on this and have made substantial progress.
I am particularly looking forward to have LIPKEY support as it does not require all the infrastructure of Kerberos.
To help with phase-in of LIPKEY at a site, it might be good to be able to enforce crypto-security for some users, but allow others to still access their files using AUTH_UNIX.
Possibly the best way to do this is to support UID mapping in AUTH_UNIX. The remote UID gets mapped to some local user based on a mapping provided by user-space. This would allow arbitrary mappings to be accomplished including certain users to NOBODY.
So, apart from ongoing RPCSEC/GSS development, a service for mapping UID to UID/GIDLIST for AUTH_UNIX would be good. Do we want to map the other way for STAT results? I wouldn't want it but it does seem to make sense. This would need to map both UID and GID to an alternate number. It could then be used for reverse-root-squash support (so files owned by joe-user can look like they are owned by root to the client).