"Fossies" - the Fresh Open Source Software Archive

Member "krb5-1.18/doc/formats/freshness_token.rst" (12 Feb 2020, 878 Bytes) of package /linux/misc/krb5-1.18.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format (assuming markdown format). Alternatively you can here view or download the uninterpreted source code file. A member file download can also be achieved by clicking within a package contents listing on the according byte size field.

PKINIT freshness tokens

8070 specifies a pa-data type PA_AS_FRESHNESS, which clients should reflect within signed PKINIT data to prove recent access to the client certificate private key. The contents of a freshness token are left to the KDC implementation. The MIT krb5 KDC uses the following format for freshness tokens (starting in release 1.17):

The checksum is computed using the first key in the local krbtgt principal entry for the realm (e.g. krbtgt/KRBTEST.COM@KRBTEST.COM if the request is to the KRBTEST.COM realm) of the indicated key version. The checksum type must be the mandatory checksum type for the encryption type of the krbtgt key. The key usage value for the checksum is 514.