Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Subject: KDC should use encrypted-timestamp key for reply key
X-RT-Original-Encoding: iso-8859-1
Content-Length: 687

After successfully processing a PA-ENC-TIMESTAMP entry in an AS request, 
Heimdal's KDC uses the matching key as the reply key.  We should do the 
same thing, for three reasons:

1. We have immediate proof that the client possesses this particular 
key.  It might not have the other keys (in a keytab request situation).

2. This would prevent an enctype downgrade attack against a request 
using PA-ENC-TIMESTAMP.

3. Doing this prevents the client from using knowledge of one key to 
leverage a known plaintext for another key.  (Not a very interesting 
attack, but worth noting.)

Likewise for encrypted challenge, although of course in that case the 
reply key will be strengthened.