Review of http://k5wiki.kerberos.org/wiki/Projects/Disable_DES ending February 13, 2009
Nicolas Williams
Nicolas.Williams at sun.com
Fri Jan 30 19:15:53 EST 2009
On Fri, Jan 30, 2009 at 03:32:19PM -0800, Russ Allbery wrote:
> Jeffrey Hutzelman <jhutz at cmu.edu> writes:
>
> > That means, among other things, the ability to generate and store new
> > service keys without taking them into use, the ability to begin issuing
> > service tickets with a new key while still handling AS requests using
> > the old client kvno (or vice versa), and a key management protocol and
> > clients that support these operations.
>
> I cannot emphasize enough how much I agree with this paragraph. All
> transition plans are rife with race conditions and deployment problems
> today without those capabilities.
Will Fiveash just committed the infrastructure needed for this to the
trunk as part of the master key migration project. Kudos Will!
Nico
--
More information about the krbdev
mailing list