[Kdc-info] prelim draft of kdc information model
Ken Raeburn
raeburn at MIT.EDU
Mon Jul 21 12:17:55 EDT 2003
Sam Hartman <hartmans at MIT.EDU> writes:
> Jeffrey> Yes, you probably do. This saves the user or
> Jeffrey> administrator from having to explicitly specify a list of
> Jeffrey> enctypes each time the password is changed. This is
> Jeffrey> particularly important with regard to service principals,
> Jeffrey> where the set of enctypes for which there are keys in the
> Jeffrey> KDC must match that supported by the server software.
>
> I'd actually argue that it is particularly unimportant for server
> software, where in an ideal world the application server's library
> will rekey to only those keys it supports guaranteeing this match.
I don't see any point in perpetuating the overloading we do in the MIT
database where the set of service key enctypes also describes the
encryption types supported by the application server software. Given
that, in many cases I suspect there's no need for the service to have
more than one key and enctype. Obviously, that enctype must be one
supported by the software, but there doesn't have to be a key for each
supported enctype.
Ken
More information about the kdc-info
mailing list