[OpenAFS] Server encryption keys

[Robert Banz]

On Mar 17, 2007, at 08:48, Jeffrey Altman wrote:

> Sergio Gelato wrote:
>> * Russ Allbery [2007-03-16 15:11:20 -0700]:
>>> Jeff is talking about additional functionality that several of us  
>>> would
>>> like to add to the Kerberos KDC that lets you create a new key  
>>> (and hence
>>> a keytab and hence pre-populate the KeyFile) without having the KDC
>>> immediately start using it for service tickets.
>>
>> Out of curiosity, is AFS the only intended application for this?
>> It seems to me that the day AFS will finally use standard Kerberos 5
>> keytabs and per-server principals the problem will be much milder.
>> Granted, one may not want to wait that long.
>
> The desired key rollover and rollback functionality is not specific to
> AFS.

It makes sense.  The capability to have previous kvnos hanging out in  
the KDC's database is there, so all we really need is a flag to say  
which one is active (and an API to manipulate it).

-rob