Review of http://k5wiki.kerberos.org/wiki/Projects/Disable_DES ending February 13, 2009

[Russ Allbery]

Jeffrey Hutzelman <jhutz at cmu.edu> writes:

> That means, among other things, the ability to generate and store new
> service keys without taking them into use, the ability to begin issuing
> service tickets with a new key while still handling AS requests using
> the old client kvno (or vice versa), and a key management protocol and
> clients that support these operations.

I cannot emphasize enough how much I agree with this paragraph.  All
transition plans are rife with race conditions and deployment problems
today without those capabilities.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>