questions regarding master key enctype migration
tlyu at MIT.EDU
Tue Mar 11 19:09:01 EDT 2008
Will Fiveash <William.Fiveash at sun.com> writes:
> Also, he states that KRB5_TL_MKEY_AUX will store two lists of mkeys:
> 1. The old mkey list
> All non-current mkeys (encrypted with the current mkey) which are
> still needed to decrypt princ records that are not encrypted by
> the current mkey.
Why can't this be in the normal keydata entries? We allow for
multiple kvnos worth of keys in the keydata entries for a principal
for thing such as TGT key rollover.
More information about the krbdev