When a principal's key has been compromised, it should be deleted as soon as the damage has been discovered in order to prevent another party from masquerading as that principal. Two routines delete a principal's key:
· The sec_key_mgmt_delete_key( ) routine removes all key types having the specified key version identifier from the local key storage, thus invalidating all extant tickets encoded with that key.
· The sec_key_mgmt_delete_key_type( ) routine removes only a specified version of a specified key type.
If the compromised key is the current one, the application should first change the key with sec_key_mgmt_change_key( ). It is not an error for a process to delete the current key as long as it is done after the login context has been established, but it may inconvenience legitimate clients of a service. The inconvenience may be justified, however, if the application data is sensitive.
Since an application may have no means to discover that its key has been compromised, the rgy_edit tool provides interfaces that call sec_key_mgmt_delete_key( ), sec_key_mgmt_change_key( ), and sec_key_mgmt_gen_rand_key( ) so that a network administrator, who is more likely to detect that a key has been compromised, may handle a security breach of this kind. As an alternative, the application may provide user interfaces to these routines.