windows-server-2003/ds/security/protocols/kerberos/asn1/krb5.asn

-- $Source: /mit/krb5/.cvsroot/src/lib/krb5/asn.1/KRB5-asn.py,v $
-- $Author: tytso $
-- $Id: KRB5-asn.py,v 5.25 1993/09/22 00:42:36 tytso Exp $
--
-- Copyright 1989 by the Massachusetts Institute of Technology.
--
-- Export of this software from the United States of America may
--   require a specific license from the United States Government.
--   It is the responsibility of any person or organization contemplating
--   export to obtain such a license before exporting.
--
-- WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-- distribute this software and its documentation for any purpose and
-- without fee is hereby granted, provided that the above copyright
-- notice appear in all copies and that both that copyright notice and
-- this permission notice appear in supporting documentation, and that
-- the name of M.I.T. not be used in advertising or publicity pertaining
-- to distribution of the software without specific, written prior
-- permission.  M.I.T. makes no representations about the suitability of
-- this software for any purpose.  It is provided "as is" without express
-- or implied warranty.
--
-- ASN.1 definitions for the kerberos network objects
--
-- Do not change the order of any structure containing some
-- element_KRB5_xx unless the corresponding translation code is also
-- changed.
--

--#SS.basic slinked--
--#SS.sized array--
--#SS.struct extra-ptr-type--

KRB5 DEFINITIONS EXPLICIT TAGS ::=
BEGIN

-- needed to do the Right Thing with pepsy; this isn't a valid ASN.1
-- token, however.

-- SECTIONS encode decode none

-- the order of stuff in this file matches the order in the draft RFC

KERB-REALM ::= GeneralString

KERB-HOST-ADDRESS ::= SEQUENCE  {
        addr-type[0]                    INTEGER,
        address[1]                      OCTET STRING
}

PKERB-HOST-ADDRESSES ::= SEQUENCE OF SEQUENCE {
        address-type[0]                 INTEGER,
        address[1]                      OCTET STRING
}

PKERB-AUTHORIZATION-DATA ::=  SEQUENCE OF SEQUENCE  {
        auth-data-type[0]               INTEGER,
        auth-data[1]                    OCTET STRING
}

-- A list of auth data for separate packing

PKERB-AUTHORIZATION-DATA-LIST ::= PKERB-AUTHORIZATION-DATA --#public--


KERB-KDC-OPTIONS ::= BIT STRING

PKERB-LAST-REQUEST ::=     SEQUENCE OF SEQUENCE {
        last-request-type[0]            INTEGER,
        last-request-value[1]           KERB-TIME
}

KERB-TIME ::=        GeneralizedTime -- Specifying UTC time zone (Z)


KERB-PRINCIPAL-NAME ::= SEQUENCE{
        name-type[0]                    INTEGER,
        name-string[1]                  SEQUENCE OF GeneralString
}

KERB-SEQUENCE-NUMBER-LARGE ::= INTEGER (-2147483648..4294967295)
KERB-SEQUENCE-NUMBER ::= INTEGER (0..4294967295)

PKERB-TICKET-EXTENSIONS ::= SEQUENCE OF SEQUENCE {
        te-type[0]       INTEGER,
        te-data[1]       OCTET STRING
}

KERB-TICKET ::=      [APPLICATION 1] SEQUENCE {
        ticket-version[0]               INTEGER,
        realm[1]                        KERB-REALM,
        server-name[2]                  KERB-PRINCIPAL-NAME,
        encrypted-part[3]               KERB-ENCRYPTED-DATA,   -- EncTicketPart
        ticket-extensions[4]            PKERB-TICKET-EXTENSIONS OPTIONAL
} --#public--

KERB-TRANSITED-ENCODING ::= SEQUENCE {
        transited-type[0]               INTEGER, -- Only supported value is 1 == DOMAIN-COMPRESS
        contents[1]                     OCTET STRING
}

-- Encrypted part of ticket

KERB-ENCRYPTED-TICKET ::=       [APPLICATION 3] SEQUENCE {
        flags[0]                        KERB-TICKET-FLAGS,
        key[1]                          KERB-ENCRYPTION-KEY,
        client-realm[2]                 KERB-REALM,
        client-name[3]                  KERB-PRINCIPAL-NAME,
        transited[4]                    KERB-TRANSITED-ENCODING,
        authtime[5]                     KERB-TIME,
        starttime[6]                    KERB-TIME OPTIONAL,
        endtime[7]                      KERB-TIME,
        renew-until[8]                  KERB-TIME OPTIONAL,
        client-addresses[9]             PKERB-HOST-ADDRESSES OPTIONAL,
        authorization-data[10]          PKERB-AUTHORIZATION-DATA OPTIONAL
}

-- Unencrypted authenticator

KERB-AUTHENTICATOR ::=       [APPLICATION 2] SEQUENCE  {
        authenticator-version[0]        INTEGER,
        client-realm[1]                 KERB-REALM,
        client-name[2]                  KERB-PRINCIPAL-NAME,
        checksum[3]                     KERB-CHECKSUM OPTIONAL,
        client-usec[4]                  INTEGER,
        client-time[5]                  KERB-TIME,
        subkey[6]                       KERB-ENCRYPTION-KEY OPTIONAL,
        sequence-number[7]              KERB-SEQUENCE-NUMBER-LARGE OPTIONAL,
        authorization-data[8]           PKERB-AUTHORIZATION-DATA OPTIONAL
}


KERB-TICKET-FLAGS ::= BIT STRING

KERB-AS-REQUEST ::= [APPLICATION 10]  KERB-KDC-REQUEST
KERB-TGS-REQUEST ::= [APPLICATION 12] KERB-KDC-REQUEST

KERB-KDC-REQUEST ::= SEQUENCE {
        version[1]                      INTEGER,
        message-type[2]                 INTEGER,
        preauth-data[3]                 SEQUENCE OF KERB-PA-DATA OPTIONAL,
        request-body[4]                 KERB-KDC-REQUEST-BODY
}

KERB-PA-DATA ::= SEQUENCE {
        preauth-data-type[1]            INTEGER,
        preauth-data[2]                 OCTET STRING -- might be encoded AP-REQUEST
}

PKERB-PREAUTH-DATA-LIST ::= SEQUENCE OF KERB-PA-DATA

-- Give this an application number so we can separately encode it and checksum
-- it.

KERB-MARSHALLED-REQUEST-BODY ::= KERB-KDC-REQUEST-BODY

KERB-KDC-REQUEST-BODY ::=       SEQUENCE {
         kdc-options[0]                 KERB-KDC-OPTIONS,
         client-name[1]                 KERB-PRINCIPAL-NAME OPTIONAL, -- Used only in AS-REQUEST
         realm[2]                       KERB-REALM, -- Server's realm  Also client's in AS-REQUEST
         server-name[3]                 KERB-PRINCIPAL-NAME OPTIONAL,
         starttime[4]                   KERB-TIME OPTIONAL,
         endtime[5]                     KERB-TIME,
         renew-until[6]                 KERB-TIME OPTIONAL,
         nonce[7]                       INTEGER,
         encryption-type[8]             SEQUENCE OF INTEGER, -- EncryptionType,
                        -- in preference order
         addresses[9]                   PKERB-HOST-ADDRESSES OPTIONAL,
         enc-authorization-data[10]     KERB-ENCRYPTED-DATA OPTIONAL,
                        -- KERB-AUTHORIZATION-DATA
         additional-tickets[11]         SEQUENCE OF KERB-TICKET OPTIONAL
}

KERB-AS-REPLY ::= [APPLICATION 11] KERB-KDC-REPLY
KERB-TGS-REPLY ::= [APPLICATION 13] KERB-KDC-REPLY


KERB-KDC-REPLY ::= SEQUENCE {
        version[0]                      INTEGER,
        message-type[1]                 INTEGER,
        preauth-data[2]                 SEQUENCE OF KERB-PA-DATA OPTIONAL,
        client-realm[3]                 KERB-REALM,
        client-name[4]                  KERB-PRINCIPAL-NAME,
        ticket[5]                       KERB-TICKET,         -- KERB-TICKET
        encrypted-part[6]               KERB-ENCRYPTED-DATA   -- KERB-ENCRYPTED-KDC-REPLY
}

KERB-ENCRYPTED-AS-REPLY ::= [APPLICATION 25] KERB-ENCRYPTED-KDC-REPLY
KERB-ENCRYPTED-TGS-REPLY ::= [APPLICATION 26] KERB-ENCRYPTED-KDC-REPLY


KERB-ENCRYPTED-KDC-REPLY ::=  SEQUENCE {
        session-key[0]                  KERB-ENCRYPTION-KEY,
        last-request[1]                 PKERB-LAST-REQUEST,
        nonce[2]                        INTEGER,
        key-expiration[3]               KERB-TIME OPTIONAL,
        flags[4]                        KERB-TICKET-FLAGS,
        authtime[5]                     KERB-TIME,
        starttime[6]                    KERB-TIME OPTIONAL,
        endtime[7]                      KERB-TIME,
        renew-until[8]                  KERB-TIME OPTIONAL,
        server-realm[9]                 KERB-REALM,
        server-name[10]                 KERB-PRINCIPAL-NAME,
        client-addresses[11]            PKERB-HOST-ADDRESSES OPTIONAL,
        encrypted-pa-data[12]           SEQUENCE OF KERB-PA-DATA OPTIONAL

}


KERB-AP-REQUEST ::= [APPLICATION 14] SEQUENCE {
        version[0]                      INTEGER,
        message-type[1]                 INTEGER,
        ap-options[2]                   KERB-AP-OPTIONS,
        ticket[3]                       KERB-TICKET,
        authenticator[4]                KERB-ENCRYPTED-DATA   -- Authenticator
}

KERB-AP-OPTIONS ::= BIT STRING

KERB-AP-REPLY ::= [APPLICATION 15] SEQUENCE {
        version[0]                      INTEGER,
        message-type[1]                 INTEGER,
        encrypted-part[2]               KERB-ENCRYPTED-DATA   -- EncAPRepPart
}

KERB-ENCRYPTED-AP-REPLY ::= [APPLICATION 27] SEQUENCE {
        client-time[0]                  KERB-TIME,
        client-usec[1]                  INTEGER,
        subkey[2]                       KERB-ENCRYPTION-KEY OPTIONAL,
        sequence-number[3]              KERB-SEQUENCE-NUMBER OPTIONAL
}


KERB-SAFE-MESSAGE ::= [APPLICATION 20] SEQUENCE {
        version[0]                      INTEGER,
        message-type[1]                 INTEGER,
        safe-body[2]                    KERB-SAFE-BODY,
        checksum[3]                     KERB-CHECKSUM
}

KERB-SAFE-BODY ::= SEQUENCE {
        user-data[0]                    OCTET STRING,
        timestamp[1]                    KERB-TIME OPTIONAL,
        usec[2]                         INTEGER OPTIONAL,
        sequence-number[3]              KERB-SEQUENCE-NUMBER OPTIONAL,
        sender-address[4]               KERB-HOST-ADDRESS,    -- sender's addr
        recipient-address[5]            KERB-HOST-ADDRESS OPTIONAL -- recip's addr
}

KERB-PRIV-MESSAGE ::=    [APPLICATION 21] SEQUENCE {
        version[0]                      INTEGER,
        message-type[1]                 INTEGER,
        encrypted-part[3]               KERB-ENCRYPTED-DATA   -- EncKrbPrivPart
}

KERB-ENCRYPTED-PRIV ::=      [APPLICATION 28] SEQUENCE {
        user-data[0]                    OCTET STRING,
        timestamp[1]                    KERB-TIME OPTIONAL,
        usec[2]                         INTEGER OPTIONAL,
        sequence-number[3]              KERB-SEQUENCE-NUMBER OPTIONAL,
        sender-address[4]               KERB-HOST-ADDRESS,    -- sender's addr
        recipient-address[5]            KERB-HOST-ADDRESS OPTIONAL    -- recip's addr
}



-- The KERB-CRED message allows easy forwarding of credentials.

KERB-CRED ::= [APPLICATION 22] SEQUENCE {
        version[0]              INTEGER,
        message-type[1]         INTEGER, -- KRB_CRED
        tickets[2]              SEQUENCE OF KERB-TICKET,
        encrypted-part[3]       KERB-ENCRYPTED-DATA -- EncKrbCredPart
}

KERB-ENCRYPTED-CRED ::= [APPLICATION 29] SEQUENCE {
        ticket-info[0]  SEQUENCE OF KERB-CRED-INFO,
        nonce[1]        INTEGER OPTIONAL,
        timestamp[2]    KERB-TIME OPTIONAL,
        usec[3]         INTEGER OPTIONAL,
        sender-address[4]       KERB-HOST-ADDRESS OPTIONAL,
        recipient-address[5]    KERB-HOST-ADDRESS OPTIONAL
}

KERB-CRED-INFO  ::=     SEQUENCE {
        key[0]                  KERB-ENCRYPTION-KEY,
        principal-realm[1]      KERB-REALM OPTIONAL,
        principal-name[2]       KERB-PRINCIPAL-NAME OPTIONAL,
        flags[3]                KERB-TICKET-FLAGS OPTIONAL,
        authtime[4]             KERB-TIME OPTIONAL,
        starttime[5]            KERB-TIME OPTIONAL,
        endtime[6]              KERB-TIME OPTIONAL,
        renew-until[7]          KERB-TIME OPTIONAL,
        service-realm[8]        KERB-REALM OPTIONAL,
        service-name[9]         KERB-PRINCIPAL-NAME OPTIONAL,
        client-addresses[10]    PKERB-HOST-ADDRESSES OPTIONAL
}


KERB-ERROR ::=   [APPLICATION 30] SEQUENCE {
        version[0]                      INTEGER,
        message-type[1]                 INTEGER,
        client-time[2]                  KERB-TIME OPTIONAL,
        client-usec[3]                  INTEGER OPTIONAL,
        server-time[4]                  KERB-TIME,
        server-usec[5]                  INTEGER,
        error-code[6]                   INTEGER,
        client-realm[7]                 KERB-REALM OPTIONAL,
        client-name[8]                  KERB-PRINCIPAL-NAME OPTIONAL,
        realm[9]                        KERB-REALM, -- Correct realm
        server-name[10]                 KERB-PRINCIPAL-NAME, -- Correct name
        error-text[11]                  GeneralString   --#lenptr--  OPTIONAL,
        error-data[12]                  OCTET STRING OPTIONAL
}

KERB-ENCRYPTED-DATA ::=  SEQUENCE  {
        encryption-type[0]              INTEGER, -- EncryptionType
        version[1]                      INTEGER OPTIONAL,
        cipher-text[2]                  OCTET STRING -- CipherText
} --#public--

KERB-ENCRYPTION-KEY ::= SEQUENCE {
        keytype[0]                      INTEGER,
        keyvalue[1]                     OCTET STRING
} --#public--

KERB-CHECKSUM ::= SEQUENCE {
        checksum-type[0]                 INTEGER,
        checksum[1]                     OCTET STRING
} --#public--

KERB-ENCRYPTED-TIMESTAMP   ::= SEQUENCE {
        timestamp[0]               KERB-TIME, -- client's time
        usec[1]                    INTEGER OPTIONAL
}

KERB-SALTED-ENCRYPTED-TIMESTAMP   ::= SEQUENCE {
        timestamp[0]                    KERB-TIME, -- client's time
        usec[1]                         INTEGER OPTIONAL,
        salt[2]                         OCTET STRING
}

KERB-ETYPE-INFO-ENTRY ::= SEQUENCE {
       encryption-type[0]               INTEGER,
       salt[1]                          OCTET STRING OPTIONAL
}

PKERB-ETYPE-INFO ::= SEQUENCE OF KERB-ETYPE-INFO-ENTRY

--
--
-- User-to-User data types
--
--

KERB-TGT-REQUEST ::= SEQUENCE {
        version[0]                      INTEGER,
        message-type[1]                 INTEGER,
        server-name[2]                  KERB-PRINCIPAL-NAME OPTIONAL,
        server-realm[3]                 KERB-REALM OPTIONAL
}

KERB-TGT-REPLY ::= SEQUENCE {
        version[0]                      INTEGER,
        message-type[1]                 INTEGER,
        ticket[2]                       KERB-TICKET
        }


--
--
-- PKINT data types
--
--

-- new for PKINIT


KERB-PKCS-SIGNATURE ::= SEQUENCE {
    encryption-type         [0] INTEGER,
                                -- algorithm for PKCS key encryption
    signature               [1] OCTET STRING
}

NOCOPYANY   ::= ANY --#nomemcpy--

KERB-ALGORITHM-IDENTIFIER::= SEQUENCE {
    algorithm               OBJECT IDENTIFIER,
    parameters              NOCOPYANY OPTIONAL
}

KERB-SIGNATURE ::= SEQUENCE {
    signature-algorithm     [0] KERB-ALGORITHM-IDENTIFIER,
    pkcs-signature          [1] BIT STRING
}

KERB-PA-PK-AS-REP ::= CHOICE {
                                -- PA TYPE 15
    dh-signed-data          [0] IMPLICIT OCTET STRING,
                                -- pkcs-7 signed data, used for DH key exchange
    key-package             [1] IMPLICIT OCTET STRING
                                -- pkcs-7 enveloped data, containing
                                -- KERB-REPLY-KEY-PACKAGE
}

KERB-PA-PK-AS-REP2 ::= SEQUENCE {
                                -- PA TYPE 15
    key-package             [0] KERB-ENCRYPTED-DATA OPTIONAL,
                                -- of type KERB-ENCRYPTED-SIGNED-REPLY-KEY-PACKAGE
                                -- using the temporary key in temp-key-package.
                                -- used with kerberos-pk encryption
    temp-key-package        [1] KERB-ENVELOPED-KEY-PACKAGE,
                                -- contains type KERB-ENCRYPTED-SIGNED-REPLY-KEY-PACKAGE
                                -- temporary key encrpyted with
                                -- client public key or diffie-hellman key
    signed-kdc-public-value [2] KERB-SIGNED-KDC-PUBLIC-VALUE OPTIONAL,
                                -- if one was passed in request
    kdc-cert                [3] SEQUENCE OF KERB-CERTIFICATE OPTIONAL
                                -- the KDC's certificate
                                -- optionally followed by that
                                -- certificate's certifier chain
}

KERB-ENVELOPED-KEY-PACKAGE ::= CHOICE {
    encrypted-data          [1] KERB-ENCRYPTED-DATA,
                                -- of type TmpKeyPack, not defined here
    pkinit-enveloped-data   [4] IMPLICIT OCTET STRING
                                -- pkcs-7 enveloped data
}

KERB-SIGNED-REPLY-KEY-PACKAGE ::= SEQUENCE {
    reply-key-package       [0] KERB-REPLY-KEY-PACKAGE2,
    reply-key-signature     [1] KERB-SIGNATURE
                                -- of replyEncKeyPack
                                -- using KDC's private key
}

KERB-REPLY-KEY-PACKAGE2 ::= SEQUENCE {
    reply-key               [0] KERB-ENCRYPTION-KEY,
                                -- used to encrypt main reply
    nonce                   [1] INTEGER,
                                -- binds response to the request
                                -- must be same as the nonce
                                -- passed in the PKAuthenticator
    subject-public-key      [2] BIT STRING OPTIONAL
                                -- included only when using diffie-hellman
                                -- equals public exponent
} --#public--

KERB-REPLY-KEY-PACKAGE ::= SEQUENCE {
    reply-key               [0] KERB-ENCRYPTION-KEY,
                                -- used to encrypt main reply
    nonce                   [1] INTEGER
                                -- binds response to the request
                                -- must be same as the nonce
                                -- passed in the PKAuthenticator
} --#public--


KERB-KDC-DH-KEY-INFO ::= SEQUENCE {
    nonce                   [0] INTEGER,
                                -- binds response to request
    subject-public-key      [1] BIT STRING
                                -- Equals public exponent (g^a mod p)
                                -- INTEGER encoded as payload of
                                -- BIT STRING
}

KERB-SIGNED-KDC-PUBLIC-VALUE ::= SEQUENCE {
    kdc-public-value        [0] KERB-SUBJECT-PUBLIC-KEY-INFO,
                                -- as described above
    kdc-public-value-sig    [1] KERB-SIGNATURE
                                -- of kdcPublicValue
                                -- using KDC's private key
}

KERB-PA-PK-AS-REQ2 ::= SEQUENCE {
                                -- PA TYPE 14
    signed-auth-pack        [0] KERB-SIGNED-AUTH-PACKAGE,
    user-certs              [1] SEQUENCE OF KERB-CERTIFICATE OPTIONAL,
                                -- the user's certificate chain
    trusted-certifiers      [2] SEQUENCE OF KERB-PRINCIPAL-NAME OPTIONAL,
                                -- CAs that the client trusts
    serial-number           [3] KERB-CERTIFICATE-SERIAL-NUMBER OPTIONAL
                                -- specifying a particalu cert if the client
                                -- already has it, must be accompanied by a
                                -- single trusted-certifier
}

KERB-PA-PK-AS-REQ ::= SEQUENCE {
                                -- PA TYPE 14
    signed-auth-pack        [0] IMPLICIT OCTET STRING,
                                -- SignedData
    trusted-certifiers      [2] SEQUENCE OF KERB-TRUSTED-CAS OPTIONAL,
                                -- CAs that the client trusts
    kdc-cert                [3] IMPLICIT OCTET STRING OPTIONAL,
                                -- an IssuerAndSerialNumber, specifies a
                                -- particular KDC cert if the client
                                -- has it, must be accompanied by a
                                -- single trusted-certifier
    encryption-cert         [4] IMPLICIT OCTET STRING OPTIONAL
                                -- If the client cert can't be used for
                                -- encryption. For example, this may
                                -- be a Diffie-Hellman cert

}

KERB-TRUSTED-CAS ::= CHOICE {
    principal-name          [0] KERB-KERBEROS-NAME,
                                -- principal name and realm
    ca-name                 [1] IMPLICIT OCTET STRING,
                                -- real type is 'Name',
                                -- fully qualified X.500 name
                                -- as defined by X.509
    issuer-and-serial       [2] IMPLICIT OCTET STRING
                                -- since a CA may have a number of certs,
                                -- only one of which a client trusts
}

KERB-KERBEROS-NAME ::= SEQUENCE {
    realm                   [0] KERB-REALM,
                                -- as defined in RFC1510
    principal-name          [1] KERB-PRINCIPAL-NAME
                                -- as defined in RFC1510
}


KERB-CERTIFICATE-SERIAL-NUMBER ::= INTEGER
                                -- as specified by PKCS 6

KERB-SIGNED-AUTH-PACKAGE ::= SEQUENCE {
    auth-package            [0] KERB-AUTH-PACKAGE,
    auth-package-signature  [1] KERB-SIGNATURE
                                -- of auth-package
                                -- using user's private key
}

KERB-AUTH-PACKAGE ::= SEQUENCE {
    pk-authenticator        [0] KERB-PK-AUTHENTICATOR,
    client-public-value     [1] KERB-SUBJECT-PUBLIC-KEY-INFO OPTIONAL
                                -- if client is using Diffie-Hellman
} --#public--

KERB-PK-AUTHENTICATOR ::= SEQUENCE {
    kdc-name                [0] KERB-PRINCIPAL-NAME,
    kdc-realm               [1] KERB-REALM,
    cusec                   [2] INTEGER,
                                -- for replay prevention
    client-time             [3] KERB-TIME,
                                -- for replay prevention
    nonce                   [4] INTEGER
}

KERB-SUBJECT-PUBLIC-KEY-INFO ::= SEQUENCE {
    algorithm               [0] KERB-ALGORITHM-IDENTIFIER,
    subjectPublicKey        [1] BIT STRING
                                -- for DH, equals
                                -- public exponent (INTEGER encoded
                                -- as payload of BIT STRING)
}   -- as specified by the X.509 recommendation [9]


KERB-DH-PARAMTER ::= SEQUENCE {
    prime                   [0] INTEGER,
                                -- p
    base                    [1] INTEGER,
                                -- g
    private-value-length    [2] INTEGER OPTIONAL
}

KERB-CERTIFICATE ::= SEQUENCE {
    cert-type                [0] INTEGER,
                                -- type of certificate
                                -- 1 = X.509v3 (DER encoding)
                                -- 2 = PGP (per PGP specification)
    cert-data                [1] OCTET STRING
                                -- actual certificate
                                -- type determined by certType
}

KERB-TYPED-DATA ::= SEQUENCE {
     data-type               [0] INTEGER,
     data-value              [1] OCTET STRING
}

--
--
-- Authorization data types
--
--

KERB-KDC-ISSUED-AUTH-DATA ::= SEQUENCE {
    checksum                [0] KERB-SIGNATURE,
    elements                [1] SEQUENCE OF KERB-PA-DATA
} --#public--

KERB-PA-SERV-REFERRAL   ::= SEQUENCE {
        referred-server-name[1]        KERB-PRINCIPAL-NAME OPTIONAL,
        referred-server-realm[0]       KERB-REALM
} --#public--

--
-- PA data type for indicating whether a PAC should be included or
-- removed.
--

KERB-PA-PAC-REQUEST     ::= SEQUENCE {
        include-pac[0]          BOOLEAN -- if TRUE, and no pac present,
                                        -- include PAC. If FALSE, and pac
                                        -- PAC present, remove PAC
} --#public--

PKERB-IF-RELEVANT-AUTH-DATA ::= PKERB-AUTHORIZATION-DATA --#public--


KERB-CHANGE-PASSWORD-DATA ::=  SEQUENCE {
        new-password[0]         OCTET STRING,
        target-name[1]          KERB-PRINCIPAL-NAME OPTIONAL,
        target-realm[2]         KERB-REALM OPTIONAL
} --#public--


KERB-ERROR-METHOD-DATA ::= SEQUENCE {
        data-type [1] INTEGER,
        data-value [2] OCTET STRING OPTIONAL
} --#public--

KERB-EXT-ERROR ::= SEQUENCE  {
        status[0]                       INTEGER, -- NTStatus code
        klininfo[1]                     INTEGER, -- klin macro info
        flags[2]                        INTEGER  -- used for passing extra info
}

TYPED-DATA ::= SEQUENCE OF KERB-TYPED-DATA --#public--

--
-- For ServiceForUserToSelf requests
-- PA Type 21
--

KERB-PA-FOR-USER ::= SEQUENCE {
                                -- PA TYPE 129
    userName                 [0] KERB-PRINCIPAL-NAME,
    userRealm                [1] KERB-REALM,
    cksum                    [2] KERB-CHECKSUM,
    authentication-package   [3] GeneralString,
    authorization-data       [4] OCTET STRING OPTIONAL,
    ...
}--#public--


END