questions regarding master key enctype migration

[Tom Yu]

Will Fiveash <William.Fiveash at sun.com> writes:

> Also, he states that KRB5_TL_MKEY_AUX will store two lists of mkeys:
>
>     1. The old mkey list
>
>        All non-current mkeys (encrypted with the current mkey) which are
>        still needed to decrypt princ records that are not encrypted by
>        the current mkey.

Why can't this be in the normal keydata entries?  We allow for
multiple kvnos worth of keys in the keydata entries for a principal
for thing such as TGT key rollover.

---Tom