questions regarding master key enctype migration

Tom Yu tlyu at MIT.EDU
Tue Mar 11 19:09:01 EDT 2008

Will Fiveash <William.Fiveash at> writes:

> Also, he states that KRB5_TL_MKEY_AUX will store two lists of mkeys:
>     1. The old mkey list
>        All non-current mkeys (encrypted with the current mkey) which are
>        still needed to decrypt princ records that are not encrypted by
>        the current mkey.

Why can't this be in the normal keydata entries?  We allow for
multiple kvnos worth of keys in the keydata entries for a principal
for thing such as TGT key rollover.


More information about the krbdev mailing list