2.2.1 PA-PK-AS-REP_OLD 1
The data for the PA-PK-AS-REP_OLD pre-authentication data identifiers is based on an earlier draft of [RFC4556]; therefore, there are some differences in the message format. The ASN.1 [ITUX680] description of the message that SHOULD<8> be used in place of the message format specified in [RFC4556] section 3.2.1 follows.
-
PKINIT DEFINITIONS EXPLICIT TAGS ::= BEGIN --EXPORTS ALL-- IMPORTS KerberosTime, PrincipalName, Realm, EncryptionKey FROM KerberosV5Spec2 { iso(1) identified-organization(3) dod(6) internet(1) security(5) kerberosV5(2) } -- Different from [RFC4556] Appendix A ContentInfo, EnvelopedData, SignedData, IssuerAndSerialNumber FROM CryptographicMessageSyntax2004 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms- 2004(24) } -- Same as defined in [RFC3852] AlgorithmIdentifier FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) }; -- From [RFC3280] (Same as defined in [RFC4556] Appendix A) -- -- PKINT data types -- PA-PK-AS-REQ ::= SEQUENCE { -- PA TYPE 15 signedAuthPack [0] IMPLICIT OCTET STRING } AuthPack::= SEQUENCE { pkAuthenticator [0] PKAuthenticator } -- -- PK-AUTHENTICATOR - Different from [RFC4556] -- Appendix A, PKAuthenticator. -- PKAuthenticator::= SEQUENCE { kdc-name [0] PRINCIPAL-NAME, kdc-realm [1] REALM, -- name and realm of the KDC issuing the ticket cusec [2] INTEGER, ctime [3] KerberosTime, nonce [4] INTEGER } END
PA-PK-AS-REQ field:
signedAuthPack: Contains content identical to the content of the signedAuthPack field, as specified in [RFC4556] section 3.2.1.
AuthPack field:
pkAuthenticator: Contains a PKAuthenticator structure, as defined in this document. This variation of the AuthPack structure is different from the one specified in [RFC4556].
PKAuthenticator fields:
kdc-name: Contains the name portion of the ticket-granting service (TGS) name of the KDC that will service the request, as specified in [RFC4120] section 7.3.
kdc-realm: Contains the realm portion of the TGS name of the KDC that will service the request, as specified in [RFC4120] section 7.3.
cusec: Contains the same content of the corresponding, identically named field in the type PKAuthenticator, as specified in [RFC4556] section 3.2.1.
ctime: Contains the same content of the corresponding, identically named field in the type PKAuthenticator, as specified in [RFC4556] section 3.2.1.
nonce: Contains the same content of the corresponding, identically named field in the type PKAuthenticator, as specified in [RFC4556] section 3.2.1.