Using KDC's master key to encrypt data

Alejandro Perez Mendez alex at
Fri Aug 10 03:45:08 EDT 2012

On 10/08/12 08:35, Alejandro Perez Mendez wrote:
> After a discussing it with Nico, and since I'm not actually using FAST,
> we realized that it may be better if I don't use PA_FX_COOKIE at all for
> this purpose. The GSS context can be transported within the same PA_DATA
> than the GSS_TOKEN, making the solution more independent from FAST.
> The resulting PA-GSS would be something similar to this (ASN1 provided
> by Nico):
>       sec-ctx-token [0] OCTET STRING,
>       state [1] EncryptedData OPTIONAL -- containing PA-GSS-STATE
> }

I meant PA-GSS and not PA-TGS

More information about the krbdev mailing list