5.1. Specific Compatibility Notes on ASN.1
Overview
This section addresses specific ASN.1 encoding and compatibility issues that implementers must be aware of to ensure interoperability.
5.1.1. ASN.1 Distinguished Encoding Rules
All Kerberos messages use Distinguished Encoding Rules (DER) for encoding. DER is a subset of Basic Encoding Rules (BER) that ensures a unique encoding for each value.
Key Requirements
- Use DER encoding for all messages
- No optional encoding choices
- Definite length encoding required
- Specific rules for SET and SET OF ordering
5.1.2. Optional Integer Fields
Optional integer fields in Kerberos messages have specific encoding rules:
- If present, they must be encoded
- If absent, they must be omitted entirely
- Zero values should be explicitly encoded if the field is present
- Implementations must handle both presence and absence correctly
5.1.3. Empty SEQUENCE OF Types
When a SEQUENCE OF type contains no elements:
- Some implementations may encode as zero-length
- Others may omit the field entirely
- Implementations must accept both forms
- When generating, follow DER rules
5.1.4. Unrecognized Tag Numbers
When encountering unrecognized tag numbers:
- Recipients SHOULD preserve the encoding
- Recipients SHOULD ignore the presence
- Recipients MUST NOT reject the message solely due to unknown tags
- Exception: Unknown authorization data may require special handling
5.1.5. Tag Numbers Greater Than 30
ASN.1 tag numbers greater than 30 use multi-byte encoding:
- Implementations must support multi-byte tags
- Long form tag encoding must be handled correctly
- This ensures extensibility of the protocol
Implementation Guidance
- Carefully validate ASN.1 decoding
- Preserve unknown extensions when possible
- Follow DER encoding rules strictly
- Test with various ASN.1 encoders/decoders for compatibility
Reference
For complete technical details, refer to RFC 4120 Section 5.1.