3.1.5.15 RemoteCallKerbCreateDHKeyAgreement
The RemoteCallKerbCreateDHKeyAgreement call uses the Kerberos CreateDHKeyAgreement message (section 2.2.2.1.15) to create a key handle to be used in Kerberos PKINIT. The key agreement will use Diffie-Hellman, as defined in [RFC4556].
The outputs of this message exchange are suitable for building a SubjectPublicKeyInfo structure ([RFC3280]) for inclusion in a Kerberos PKINIT message exchange ([RFC4556]).
The output KeyAgreementHandle is connection-specific and is only valid for use with the same CredSSP client which created the handle. This ensures that the key agreement will be used only by the CredSSP server that requested the handle, and only for a single negotiated session [MS-CSSP].
To perform this message exchange, the CredSSP server MUST send a KerbCredIsoRemoteInput object to the CredSSP client. The CallId field MUST be set to RemoteCallKerbCreateDHKeyAgreement, and the CreateDHKeyAgreement member of the union MUST be populated.
To reply to the preceding input message, the CredSSP client MUST respond with a KerbCredIsoRemoteOutput object. The CallId field MUST be set to RemoteCallKerbCreateDHKeyAgreement, and the CreateDHKeyAgreement member of the union MUST be populated.