transited encoding
Frank Cusack
frank at linetwo.net
Tue Jul 30 19:56:46 EDT 2013
RFC 4120, section 5.3 and Appendix A indicate that in a ticket
(EncTicketPart) the 'transited' field is mandatory.
I can find no description of how the AS adds or does not add the name of
its own realm.
However, 3.3.3.2 says that the TGS takes the existing transited field (from
the TGT) and possibly adds the TGT issuer's realm, before encoding a new
transited field into the issued ticket. It doesn't say anything about
stripping or not stripping the local realm, but it is explicit that local
realm authentication results in "a transited field that is empty".
1) Is this the same for a TGT?
2) How does one encode an empty but required ASN.1 TransitedEncoding
Sequence? Would this be a sequence of length 0? What exactly does that
look like?
thanks.
More information about the Kerberos
mailing list