[krbdev.mit.edu #7532] still not ready for kvnos over 255
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Sat Mar 7 17:48:17 EST 2015
I created a project page describing key version limitations in more
detail:
http://k5wiki.kerberos.org/wiki/Projects/Larger_key_versions
In addition to the kadmin concern, there are also 16-bit limitations on
the KDC side. The proposed changes could risk making our behavior
worse at 16-bit wraparound than it is currently. Perhaps this isn't
worth worrying about; if you rotate a key once per day, you won't hit
version 32767 until almost 90 years have elapsed. Regardless, some
possible approaches are detailed there.
More information about the krb5-bugs
mailing list