questions regarding master key enctype migration
Will Fiveash
William.Fiveash at sun.com
Tue Mar 11 19:38:37 EDT 2008
On Tue, Mar 11, 2008 at 05:44:18PM -0500, Will Fiveash wrote:
> After a enough time had passed to ensure that the above was completely
> successful and all KDCs were using the same current mkey a new kdb5_util
> command to purge old mkeys from the K/M princ would be then run on a
> master KDC. (Whether this command can determine if a mkey is still
> required to decrypt a princ record in a reasonable amount of time may be
> an issue. Ken, any idea here? Anyway, I'm going to assume it is
> feasible for either a db2 or LDAP KDB.) This updated K/M princ would
I should rephrase my question about purging unneeded mkeys. I'm
wondering if a kdb5_util "purge old mkeys" command can determine if a
mkey is still needed or not in a reasonable amount of time. I'm
assuming that all princ entries would have their mkvno examined to
determine which mkno's were still in use and this could take a while
with a large LDAP KDB.
Thoughts?
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev
mailing list