questions regarding master key enctype migration
Ken Raeburn
raeburn at MIT.EDU
Tue Mar 11 09:03:44 EDT 2008
Oh, my scheme should probably be checked for race conditions... For
example, can we have a key change operation look up the mkvno to use,
then another process update the database to a new mkvno, re-encrypt
the keys (small database?), and remove the old master key, before the
key change operation gets around to storing new newly changed key,
encrypted in a master key we've just deleted?
Perhaps not in db2, if we lock the database for the whole sequence of
mkvno lookup through updated key store, but what about in the LDAP
world?
Ken
More information about the krbdev
mailing list