diff --git a/lib/asn1/k5.asn1 b/lib/asn1/k5.asn1
index de7e725de..a847a6f0e 100644
--- a/lib/asn1/k5.asn1
+++ b/lib/asn1/k5.asn1
@@ -90,7 +90,8 @@ AUTHDATA-TYPE ::= INTEGER {
 	KRB5-AUTHDATA-SESAME(65),
 	KRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66),
 	KRB5-AUTHDATA-WIN2K-PAC(128),
-	KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129) -- Authenticator only
+	KRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only
+	KRB5-AUTHDATA-SIGNTICKET(-17)
 }
 
 -- checksumtypes
@@ -182,11 +183,13 @@ HostAddresses ::= SEQUENCE OF HostAddress
 
 KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
 
-AuthorizationData ::= SEQUENCE OF SEQUENCE {
+AuthorizationDataElement ::= SEQUENCE {
 	ad-type[0]		krb5int32,
 	ad-data[1]		OCTET STRING
 }
 
+AuthorizationData ::= SEQUENCE OF AuthorizationDataElement
+
 APOptions ::= BIT STRING {
 	reserved(0),
 	use-session-key(1),
@@ -604,6 +607,23 @@ PA-S4U2Self ::= SEQUENCE {
         auth[3]		GeneralString
 }
 
+KRB5SignedPathPrincipals ::= SEQUENCE OF Principal
+
+-- never encoded on the wire, just used to checksum over
+KRB5SignedPathData ::= SEQUENCE {
+	encticket[0]	EncTicketPart,
+	delegated[1]	KRB5SignedPathPrincipals OPTIONAL
+}
+
+KRB5SignedPath ::= SEQUENCE {
+	-- DERcoded KRB5SignedPathData
+	-- krbtgt key (etype), KeyUsage = XXX 
+	etype[0]	ENCTYPE,
+	cksum[1]	Checksum,
+	-- srvs delegated though
+	delegated[2]	KRB5SignedPathPrincipals OPTIONAL
+}
+
 END
 
 -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1