transited encoding

[Nico Williams]

Late to the party but maybe I can add something.

On Tue, Jul 30, 2013 at 6:56 PM, Frank Cusack <frank at linetwo.net> wrote:
> I can find no description of how the AS adds or does not add the name of
> its own realm.

The first and last realms are implied (crealm, srealm), so they are
not included in the transited field.  This makes sense given that the
spec tries hard to compress the transited path; excluding the implied
realms makes it smaller.

> However, 3.3.3.2 says that the TGS takes the existing transited field (from
> the TGT) and possibly adds the TGT issuer's realm, before encoding a new
> transited field into the issued ticket.  It doesn't say anything about
> stripping or not stripping the local realm, but it is explicit that local
> realm authentication results in "a transited field that is empty".

Hopping a single realm also results in an empty transited field.  Any
path longer than one hope must have a non-empty transited field.

> 1) Is this the same for a TGT?

That it's a TGT is irrelevant.  All INITIAL tickets must have an empty
transited field.  All other tickets may or may not have an empty
transited field depending how they were obtained.  Loops are not
allowed, so if the crealm and srealm are the same then the transit
path must be empty.

Oh, speaking of which, I just noticed that the FILE ccache doesn't
store the transit path for any given ticket...  Huh.

> 2) How does one encode an empty but required ASN.1 TransitedEncoding
> Sequence?  Would this be a sequence of length 0?  What exactly does that
> look like?

All the SEQUENCE fields in the types in question are non-OPTIONAL, so
it's just the OCTET STRING that must be empty, length 0.

Nico
--