This document describes how to further extend the Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) extension (defined in RFC 4556) to exchange an opaque data blob that a Key Distribution Center (KDC) can validate to ensure that the client is currently in possession of the private key during a PKINIT Authentication Service (AS) exchange.
RFC 8070-2017 history
2017RFC 8070-2017 Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Freshness Extension