transited encoding
Greg Hudson
ghudson at MIT.EDU
Wed Jul 31 00:57:12 EDT 2013
On 07/30/2013 07:56 PM, Frank Cusack wrote:
> However, 3.3.3.2 says that the TGS takes the existing transited field (from
> the TGT) and possibly adds the TGT issuer's realm, before encoding a new
> transited field into the issued ticket. It doesn't say anything about
> stripping or not stripping the local realm, but it is explicit that local
> realm authentication results in "a transited field that is empty".
>
> 1) Is this the same for a TGT?
A TGT (or any other ticket) issued as the result of an AS request will
have an empty transited field. A cross-realm TGT issued as the result
of a TGS request could have an empty or non-empty transited field,
depending on the TGT used to obtain it.
> 2) How does one encode an empty but required ASN.1 TransitedEncoding
> Sequence? Would this be a sequence of length 0? What exactly does that
> look like?
The fields of TransitedEncoding are not optional, so the sequence will
not be of length 0. An empty transited field is represented with 1
(DOMAIN-X500-COMPRESS) in the tr-type field and an empty octet string in
the contents field. In DER, that comes out to:
30 09 (sequence, length 9)
A0 03 (context tag 0, length 3)
02 01 (integer, length 1)
01 (1)
A1 02 (context tag 1, length 2)
04 00 (octet string, length 0)
More information about the Kerberos
mailing list