Removing old keys
Nicolas Williams
Nicolas.Williams at oracle.com
Mon Sep 20 16:59:54 EDT 2010
On Mon, Sep 20, 2010 at 04:11:30PM -0400, Tom Yu wrote:
> Greg Hudson <ghudson at MIT.EDU> writes:
>
> > On Mon, 2010-09-20 at 15:31 -0400, Jonathan Reams wrote:
>
> >> Is there a mechanism for pruning old keys in the same way that
> >> kdb5_util lets you purge old master keys that are no longer being
> >> used?
>
> > To the best of my understanding, there is not, short of dumpfile
> > editing. This is a long-standing shortcoming in the kadmin system,
> > which we simply haven't gotten around to correcting.
>
> What would people prefer in terms of an interface for this capability?
>
> * delete all old kvnos
> * delete one specific kvno
> * something else
>
> We would probably implement this as a new kadmin RPC.
While an RPC may be useful by itself, I think it what's needed is a
policy such that sufficiently old keys are deleted on next key change.
The safest policy, ISTM, is delete kvno-3 or kvno-2 on key change. It'd
be nice too to have a way to flag keys as having been "replicated", as
may be necessary in cluster situations. (Though clusters also have to
worry about replay caches, and that's a different topic.)
Nico
--
More information about the krbdev
mailing list