Authdata, preauth plugin headers

[Greg Hudson]

On Fri, 2011-06-10 at 11:06 -0400, Sam Hartman wrote:
> Pretty much any multi-round-trip preauth plugin will need to be able to
> store state in the cookie.

I see.  The OTP draft doesn't use the word "cookie", instead referencing
"the mechanism described in section 5.2 of [RFC6113]".

However, now I'm confused about why the KDC is bothering to generate a
nonce in the 4-pass scheme if it's not going to remember it.  (The
cookie is not the same thing as "memory", since the KDC has no assurance
that it wasn't replayed.)