The destructive re-keying problem

Nico Williams nico at
Fri Mar 7 19:42:43 EST 2014

On Fri, Mar 7, 2014 at 4:59 PM, Simo Sorce <simo at> wrote:
> In general I agree with your comments Nico, in fact I was the person
> that asked once more MIT to reconsider the problem, and we had a
> conversation where we mentioned the possibility to use multi-round trip
> to recover w/o ever returning errors to applications.
> And on the server side ability to recover keys in certain situation I
> also agree, in fact I have a set of patches on the FreeIPA list to add
> just that ability (subject to access control decisions of course).
> However I would like to avoid combining all these "solutions" together
> as something to deliver all at once.

The three options (my two plus Greg's marking bad tix in the ccache
option) have no dependencies on each other, therefore all can be
pursued independently.  I didn't say otherwise, and I fail to see how
I implied otherwise either.

BTW, since the KRB-ERROR in the wrong kvno case is NOT protected, the
client is taking a small risk in marking that ticket bad in the
ccache.  A small security consideration, and not a new one at that.


More information about the krbdev mailing list