After successfully processing a PA-ENC-TIMESTAMP entry in an AS request, Heimdal's KDC uses the matching key as the reply key. We should do the same thing, for three reasons: 1. We have immediate proof that the client possesses this particular key. It might not have the other keys (in a keytab request situation). 2. This would prevent an enctype downgrade attack against a request using PA-ENC-TIMESTAMP. 3. Doing this prevents the client from using knowledge of one key to leverage a known plaintext for another key. (Not a very interesting attack, but worth noting.) Likewise for encrypted challenge, although of course in that case the reply key will be strengthened.