questions regarding master key enctype migration

Will Fiveash William.Fiveash at
Tue Mar 11 19:50:39 EDT 2008

On Tue, Mar 11, 2008 at 07:09:01PM -0400, Tom Yu wrote:
> Will Fiveash <William.Fiveash at> writes:
> > Also, he states that KRB5_TL_MKEY_AUX will store two lists of mkeys:
> >
> >     1. The old mkey list
> >
> >        All non-current mkeys (encrypted with the current mkey) which are
> >        still needed to decrypt princ records that are not encrypted by
> >        the current mkey.
> Why can't this be in the normal keydata entries?  We allow for
> multiple kvnos worth of keys in the keydata entries for a principal
> for thing such as TGT key rollover.

So you're suggesting a refinement in that the K/M princ secretkey
keydata would include the current mkey and all the old ones encrypted
with the current mkey and the KRB5_TL_MKEY_AUX would just store the set
of current mkeys each encrypted by a different old mkey?

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list