Issues with Active Directory <-> MIT x-realm key replacement

[Tom Yu]

Sam Hartman <hartmans at MIT.EDU> writes:

> 2) We plan to implement behavior that allows an administrator to purge
> old keys. Once that is done your approach wil definitely be fine.  I
> think even without this it is fine.

Manual purging of old keys (when there are multiple kvnos for a
principal) is already implemented in the upcoming 1.9 release.