2.2.1 PA-PK-AS-REP_OLD 1

  • Article

The data for the PA-PK-AS-REP_OLD pre-authentication data identifiers is based on an earlier draft of [RFC4556]; therefore, there are some differences in the message format. The ASN.1 [ITUX680] description of the message that SHOULD<8> be used in place of the message format specified in [RFC4556] section 3.2.1 follows.

 PKINIT DEFINITIONS EXPLICIT TAGS ::=
 BEGIN
 --EXPORTS ALL--
 IMPORTS
 KerberosTime, PrincipalName, Realm, EncryptionKey
 FROM KerberosV5Spec2
 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 
          kerberosV5(2) }
 -- Different from [RFC4556] Appendix A
 ContentInfo, EnvelopedData, SignedData, IssuerAndSerialNumber
 FROM CryptographicMessageSyntax2004
 { iso(1) member-body(2) us(840) rsadsi(113549)
 pkcs(1) pkcs-9(9) smime(16) modules(0) cms-
 2004(24) }
 -- Same as defined in [RFC3852]
 AlgorithmIdentifier
 FROM PKIX1Explicit88
 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 
          mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) };
 -- From [RFC3280] (Same as defined in [RFC4556] Appendix A)
 --
 -- PKINT data types
 --
 PA-PK-AS-REQ ::= SEQUENCE {
 -- PA TYPE 15        
 signedAuthPack [0] IMPLICIT OCTET STRING
 }
  
  
 AuthPack::= SEQUENCE {
     pkAuthenticator  [0] PKAuthenticator
 } 
  
  
 --
 -- PK-AUTHENTICATOR - Different from [RFC4556]
 -- Appendix A, PKAuthenticator.
 --
 PKAuthenticator::= SEQUENCE {
     kdc-name   [0] PRINCIPAL-NAME,
     kdc-realm  [1] REALM,
 -- name and realm of the KDC issuing the ticket
     cusec      [2] INTEGER,
     ctime      [3] KerberosTime,
     nonce      [4] INTEGER
 }
 END

PA-PK-AS-REQ field:

  • signedAuthPack: Contains content identical to the content of the signedAuthPack field, as specified in [RFC4556] section 3.2.1.

AuthPack field:

  • pkAuthenticator: Contains a PKAuthenticator structure, as defined in this document. This variation of the AuthPack structure is different from the one specified in [RFC4556].

PKAuthenticator fields:

  • kdc-name: Contains the name portion of the ticket-granting service (TGS) name of the KDC that will service the request, as specified in [RFC4120] section 7.3.

  • kdc-realm: Contains the realm portion of the TGS name of the KDC that will service the request, as specified in [RFC4120] section 7.3.

  • cusec: Contains the same content of the corresponding, identically named field in the type PKAuthenticator, as specified in [RFC4556] section 3.2.1.

  • ctime: Contains the same content of the corresponding, identically named field in the type PKAuthenticator, as specified in [RFC4556] section 3.2.1.

  • nonce: Contains the same content of the corresponding, identically named field in the type PKAuthenticator, as specified in [RFC4556] section 3.2.1.