On Mon, 2010-09-20 at 16:11 -0400, Tom Yu wrote: > * delete all old kvnos > * delete one specific kvno > * something else It may also be useful to be able to remove one or more key:salt types from an existing kvno. For example, a site which is migrating away from DES might want to (at some point in the process) remove all DES keys without force-changing all passwords.