Review of http://k5wiki.kerberos.org/wiki/Projects/Disable_DES ending February 13, 2009
Nicolas Williams
Nicolas.Williams at sun.com
Fri Jan 30 19:37:31 EST 2009
On Fri, Jan 30, 2009 at 06:15:53PM -0600, Nicolas Williams wrote:
> On Fri, Jan 30, 2009 at 03:32:19PM -0800, Russ Allbery wrote:
> > Jeffrey Hutzelman <jhutz at cmu.edu> writes:
> >
> > > That means, among other things, the ability to generate and store new
> > > service keys without taking them into use, the ability to begin issuing
> > > service tickets with a new key while still handling AS requests using
> > > the old client kvno (or vice versa), and a key management protocol and
> > > clients that support these operations.
> >
> > I cannot emphasize enough how much I agree with this paragraph. All
> > transition plans are rife with race conditions and deployment problems
> > today without those capabilities.
>
> Will Fiveash just committed the infrastructure needed for this to the
> trunk as part of the master key migration project. Kudos Will!
BTW, all that's missing, IIUC, is kadmin changes to add options to the
chpass/ktadd/modprinc commands to manage this for any princ.
Nico
--
More information about the krbdev
mailing list