On Wed, Jun 28, 2017 at 12:08:31AM -0500, Nico Williams wrote:
> We do need better key mgmt support though. It'd nice to have automatic
> rekeying and expunging of keys too old to be needed for decrypting
> extant live tickets.
Viktor points out that we do have server-side (in libkadm5, thus
kadmind) support for optional automatic expunging old keys in
kadm5_setkey_principal_3(). We have it for krb5_admin/krb5_keytab :)
We want to add client-side support as well.
We also need client-side support for automatic keytab entry expunge as