Deriving keys

[Sam Hartman]

Unfortunately, expanding the lucid context and making krb5_derive_key
public both seem unacceptable.

The reason is the same.  The representation of a derived key in RFC
3961 is crypto system specific.  For some crypto systems you might
just store a key schedule in some very implementation specific form.
There's no reason to believe that all crypto systems will even call or
support krb5_derive_key.


I think that you really do need a fairly full RFC 3961 implementation
in the kernel if you hope to avoid significant implementation
dependence.

--Sam