deletion of old keys

Lara Adianto m1r4cle_26 at
Thu Jun 3 23:59:57 EDT 2004

Hi Ken,

Thank you for the reply. 
What do you mean by a compromised key here ?
In the case where the principal has obtained a TGT
from the KDC, then the KDC's password is changed, if
the old key is not retained, then the TGS-REQ will be
rejected since the KDC can't decrypt the TGT, am I
right ?
What's the principal supposed to do in this case ?
Sends an AS-REQ ?


--- Ken Raeburn <raeburn at MIT.EDU> wrote:
> Actually, if old keys aren't retained, the KDC
> cannot renew application 
> service tickets issued before the service keys
> changed.  Which may be 
> desirable, if the reason for change is a compromised
> key, or maybe not, 
> if the reason for change is a policy demanding on a
> key change every so 
> often.
> Ken

La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -

Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger. 

More information about the Kerberos mailing list