The key-distribution-center (KDC) stores all secret keys for all users and servers. This machine must be physically secured, as well as have strong access control mechanisms for updating the database of keys. Both clients and servers must trust that the information they receive from the key-distribution-center is correct. A major vulnerability with the Kerberos model is that if the key-distribution-server is compromised, every secret key used on the network is compromised.