[569] in Kerberos
Re: changing master key on database
daemon@TELECOM.MIT.EDU (John T Kohl)
Thu Jan 5 09:13:04 1989
From: John T Kohl <jtkohl@ATHENA.MIT.EDU>
To: Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU>
Cc: Jeffrey I. Schiller <jis@ATHENA.MIT.EDU>, kerberos@ATHENA.MIT.EDU
In-Reply-To: Jerome H. Saltzer's message of Wed, 4 Jan 89 20:51:56 EST,
Date: Wed, 4 Jan 89 20:51:56 EST
From: Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU>
> From my point of view I have yet to see a reason to change the
> key's version number when the master key is changed.
Suppose the master and slaves are physically separated ...
But
you still want to be able to propagate, via network, updates from
master to slave during the two days that the keys are different.
Then you want to have version numbers, and two simultaneously usable
keys, right?
Two simultaneously usable master keys, yes.
There are currently two version numbers stored with each key in the
database: the master key version used to encrypt the key for storage,
and the principal's key version. Currently when changing the master key
on a database, the utility program increments BOTH version numbers,
where I think the appropriate action is to only increment the master key
version, and leave the principal key version the same (since it hasn't
changed!)
John
