[OpenAFS] Server encryption keys
Sat, 17 Mar 2007 10:36:23 -0400
On Mar 17, 2007, at 08:48, Jeffrey Altman wrote:
> Sergio Gelato wrote:
>> * Russ Allbery [2007-03-16 15:11:20 -0700]:
>>> Jeff is talking about additional functionality that several of us
>>> like to add to the Kerberos KDC that lets you create a new key
>>> (and hence
>>> a keytab and hence pre-populate the KeyFile) without having the KDC
>>> immediately start using it for service tickets.
>> Out of curiosity, is AFS the only intended application for this?
>> It seems to me that the day AFS will finally use standard Kerberos 5
>> keytabs and per-server principals the problem will be much milder.
>> Granted, one may not want to wait that long.
> The desired key rollover and rollback functionality is not specific to
It makes sense. The capability to have previous kvnos hanging out in
the KDC's database is there, so all we really need is a flag to say
which one is active (and an API to manipulate it).