Re: [Jeffrey Hutzelman] LAST CALL - Public Key Cryptography for InitialAuthentication in Kerberos

[Olivier Dubuisson <Olivier.Dubuisson@xxxxxxxxxxxxxxxxx>]

Tom Gindin wrote:
>         If it isn't too late to fix this without breaking lots of 
> implementations, the ASN.1 in this specification is over-tagged.  In 
> section 3.2.1, all three of the tags in PA-PK-AS-REQ are unnecessary, and 
> the one on signedAuthPack is actually slightly harmful.  None of the tags 
> in PKAuthenticator do any good either.  The OCTET STRING wrappings for 
> subjectName and issuerAndSerialNumber are not really appropriate, and 
> subjectName doesn't need a tag.  Even in AuthPack, pkAuthenticator and 
> clientDHNonce don't need tags.
>         Similarly, in 3.2.3, there is no reason for any of the tags in 
> PA-PK-AS-REP, DHRepInfo, or KDCDHKeyInfo.  The tags in ReplyKeyPack in 
> 3.2.3.2 also seem unnecessary.

The easiest thing would be to put "AUTOMATIC TAGS" in the module header 
(instead of "EXPLICIT TAGS") and not bother with tags, for "AUTOMATIC 
TAGS" would tag where necessary. But I understand from another response 
that the Kerberos team doesn't want to deviate from their historical 
choice...
--
Olivier DUBUISSON
France Telecom
Recherche & Developpement
R&D/MAPS/AMS - 22307 Lannion Cedex - France
t: +33 2 96 05 38 50 - f: +33 2 96 05 39 45 - http://asn1.elibel.tm.fr/