[1138] in Kerberos_V5_Development
Re: motivation for multiple keys per principal
daemon@ATHENA.MIT.EDU (Theodore Y. Ts'o)
Wed May 8 14:14:58 1996
Date: Wed, 8 May 1996 14:09:51 -0400
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
To: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: krbdev@MIT.EDU
In-Reply-To: Barry Jaspan's message of Wed, 8 May 1996 13:44:48 -0400,
<9605081744.AA18118@starkiller.MIT.EDU>
Date: Wed, 8 May 1996 13:44:48 -0400
From: "Barry Jaspan" <bjaspan@MIT.EDU>
What was the motivation for supporting multiple keys per principal?
Is there a reason other than a smooth migration from DES to 3-DES?
1) Smooth migration to different encryption systems (3-DES, IDEA, etc.)
2) Support of different salt-types (V4 salts vs. V5 realm-based salts).
This will also be necessary if you are using V5 realm-based salts, and
you have to do forced-march rename of your Kerberos realm (for example)
from GZA.COM to OV.COM.
(Note: we don't have the code in there to completely support this yet,
but I suspect the first time Cygnus has a customer get bought out and
forced to rename their Kerberos realm, they'll have to implement
precisely this.)
- Ted
