[16536] in Kerberos_V5_Development


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Issues with Active Directory <-> MIT x-realm key replacement

daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Dec 8 22:25:58 2010

From: Sam Hartman <hartmans@mit.edu>
To: jaltman@secure-endpoints.com
Date: Wed, 08 Dec 2010 22:25:51 -0500
In-Reply-To: <4D0003E6.5060704@secure-endpoints.com> (Jeffrey Altman's message
	of "Wed, 08 Dec 2010 17:17:10 -0500")
Message-ID: <tslk4jjhbk0.fsf@carter-zimmerman.suchdamage.org>
MIME-Version: 1.0
Cc: "'krbdev@mit.edu'" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

Your proposed design sounds good to me.

Here are some additional reasons why I think that design will be fine
long-term.
1) If you want security at the expense of availability, you do not use
the -keepold option on kpasswd.

2) We plan to implement behavior that allows an administrator to purge
old keys. Once that is done your approach wil definitely be fine.  I
think even without this it is fine.

--Sam
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[16536] in Kerberos_V5_Development

Re: Issues with Active Directory <-> MIT x-realm key replacement

daemon@ATHENA.MIT.EDU (Sam Hartman)Wed Dec 8 22:25:58 2010

daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Dec 8 22:25:58 2010