questions regarding master key enctype migration
Will Fiveash
William.Fiveash at sun.com
Tue Mar 11 19:50:39 EDT 2008
On Tue, Mar 11, 2008 at 07:09:01PM -0400, Tom Yu wrote:
> Will Fiveash <William.Fiveash at sun.com> writes:
>
> > Also, he states that KRB5_TL_MKEY_AUX will store two lists of mkeys:
> >
> > 1. The old mkey list
> >
> > All non-current mkeys (encrypted with the current mkey) which are
> > still needed to decrypt princ records that are not encrypted by
> > the current mkey.
>
> Why can't this be in the normal keydata entries? We allow for
> multiple kvnos worth of keys in the keydata entries for a principal
> for thing such as TGT key rollover.
So you're suggesting a refinement in that the K/M princ secretkey
keydata would include the current mkey and all the old ones encrypted
with the current mkey and the KRB5_TL_MKEY_AUX would just store the set
of current mkeys each encrypted by a different old mkey?
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev
mailing list