We need a mechanism to delete old keys (especially tgt keys) from the database. One possible mechanism would be start/expire dates on keys. Another would be a not-valid-yet bit and a command to delete old keys. The reason you probably want the not valid yet bit is to deal with the time between the key is generated and the time when it is available on all replicated servers (AFS and TGT come to mind)