[OpenAFS] Server encryption keys

Russ Allbery rra@stanford.edu
Sat, 17 Mar 2007 13:32:17 -0700

Sergio Gelato <Sergio.Gelato@astro.su.se> writes:

> Out of curiosity, is AFS the only intended application for this?
> It seems to me that the day AFS will finally use standard Kerberos 5
> keytabs and per-server principals the problem will be much milder.
> Granted, one may not want to wait that long.

No, it applies to any application where the same key is shared on multiple
systems.  Another example would be a set of systems providing a
GSSAPI-authenticated service behind a load-balancer, where the client
would use the same service ticket regardless of what backend system it
happened to get.

Any time that you need a delay between distributing key material and
making the new key active, you want this feature.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>