New proposal (Re: Ticket 5338: Race conditions in key rotation)

Nicolas Williams Nicolas.Williams at
Wed Jun 25 16:00:24 EDT 2008

I don't oppose the proposed client behavior (fallback to master KDC on
generic TGS errors) provided:

1) it's optional, defaulting to off,


2) a) either you produce an update to RFC4120 describing this normatively


   b) you also produce, prior to or concurrently with (1), support for
      two-phase commits of new keys for the krbtgt principals (this is
      also useful for host principals used in clustered systems).

I doubt very much that you could get KRB-WG and IETF consensus such a
change to RFC4120 anytime soon.  Therefore I strongly recomment that you
pursue both: (1) and (2b).

I can help scope out and design (2b), but don't have cycles for coding,
debugging, testing.

The good news is that (2b) is mostly about making changes in kadm5 code,
with very little impact on krb5kdc, and easy to test.


More information about the krbdev mailing list