I'm wondering if I actually need KEYRING_SEARCH_DO_STATE_CHECK and KEYRING_SEARCH_NO_STATE_CHECK as separate flags rather than just states of the same flag. The most important distinction is in search_nested_keyrings() where I turn on DO_STATE_CHECK specifically for potential matches on the root keyring. However, NO_STATE_CHECK is only used for two special searches: possession determination and cycle detection. Neither of these use keyring_search_iterator() as the iteration function, so neither actually takes any notice of DO_STATE_CHECK. Everything else currently uses - or should use - DO_STATE_CHECK, including key_get_instantiation_authkey(). David -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html