Re: ASN.1 stuff (Re: [xad] Re: FW: SSPI client)

[Nicolas Williams <Nicolas.Williams@verizon.net>]

I think I was wrong. It's BIT STRING that is encoded incorrectly by MIT 
krb5, and by all subsequent implementors. But it might be encoded 
correctly by existing SPNEGO implementations.

See 
http://www.amaranth.com/ietf/drafts/draft-ietf-cat-kerberos-revisions-09.txt 
and Tom Yu's posts to the various Kerberos lists for more info.

Nico

Jacques A. Vidrine wrote:

>On Thu, Nov 08, 2001 at 09:18:07AM -0500, Nicolas Williams wrote:
>
>>Heimdal's ASN.1 compiler caters to krb5 ASN.1, which is 
>>not true ASN.1 because MIT krb5 violates the ASN.1/DER specs in some 
>>places, like with INTEGER, where, IIRC, MIT krb5 (and therefore all 
>>other Kerberos V implementors) always writes four bytes for INTEGERs on 
>>the wire, even though the minimum needed might be one byte. 
>>
>
>I'm  off  on a  tangent,  but...  at  least  in Kerberos  5  messages,
>the  Heimdal code  encodes integers  correctly.  It  must, or  digital
>signatures, message digests, and so forth would not work.  This is the
>reason DER  is specified.   For example, `pvno'  is always  encoded as
>follows: 02 01 05,  while encryption type des-cbc-md5  must be encoded
>as 02 01 03.  There are no other acceptable ways to encode it.
>
>Maybe I'm not understanding you correctly  ... do you mind providing a
>trace of what you mean?
>
>Cheers,
>