On Wed, Jun 28, 2017 at 12:08:31AM -0500, Nico Williams wrote: > We do need better key mgmt support though. It'd nice to have automatic > rekeying and expunging of keys too old to be needed for decrypting > extant live tickets.
Viktor points out that we do have server-side (in libkadm5, thus kadmind) support for optional automatic expunging old keys in kadm5_setkey_principal_3(). We have it for krb5_admin/krb5_keytab :) We want to add client-side support as well. We also need client-side support for automatic keytab entry expunge as well. Nico --
