Review of http://k5wiki.kerberos.org/wiki/Projects/Disable_DES ending February 13, 2009
rra at stanford.edu
Fri Jan 30 18:32:19 EST 2009
Jeffrey Hutzelman <jhutz at cmu.edu> writes:
> That means, among other things, the ability to generate and store new
> service keys without taking them into use, the ability to begin issuing
> service tickets with a new key while still handling AS requests using
> the old client kvno (or vice versa), and a key management protocol and
> clients that support these operations.
I cannot emphasize enough how much I agree with this paragraph. All
transition plans are rife with race conditions and deployment problems
today without those capabilities.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev