[568] in Kerberos
Re: changing master key on database
daemon@TELECOM.MIT.EDU (Jerome H. Saltzer)
Wed Jan 4 20:58:29 1989
To: Jeffrey I. Schiller <jis@ATHENA.MIT.EDU>
Cc: jtkohl@ATHENA.MIT.EDU, kerberos@ATHENA.MIT.EDU
In-Reply-To: Jeffrey I. Schiller <jis@ATHENA.MIT.EDU>'s message of Wed, 4 Jan 89 18:27:51 EST
From: Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU>
> From my point of view I have yet to see a reason to change the
> key's version number when the master key is changed.
Suppose the master and slaves are physically separated by enough
distance that it isn't convenient to change the master key at both
places the same day; it takes two days to get to the other site. But
you still want to be able to propagate, via network, updates from
master to slave during the two days that the keys are different.
Then you want to have version numbers, and two simultaneously usable
keys, right? (I'm not sure all the code is in there to allow that
scenario, but removing master version numbers is a step away, rather
than toward, solving that problem.)
Shorten the distance/time to half a day, but assume that there are
100 password changes/hour, and you might still have the same
situation on a shorter time scale.
Jerry
