RE: Reauthentication Requested Revisited

From: Josh Cohen (joshco@microsoft.com)
Date: Mon, Feb 02 1998


Message-ID: <21FD6499922DD111A4F600805FCCD6F2013D09AA@red-86-msg.dns.microsoft.com>
From: Josh Cohen <joshco@microsoft.com>
To: "'ietf-http-ext@w3.org'" <ietf-http-ext@w3.org>
Date: Mon, 2 Feb 1998 17:01:44 -0800 
Subject: RE: Reauthentication Requested Revisited



-> -----Original Message-----
-> From: Scott Lawrence [mailto:lawrence@agranat.com]
-> Sent: Monday, February 02, 1998 4:06 PM
-> To: Josh Cohen
-> Subject: Re: Reauthentication Requested Revisited
-> 
-> 
-> 
-> JC> This provides a general mechanism for a "retry request" 
-> from the server
-> JC> to the client along with a way to acknowledge receipt of 
-> the retry
-> JC> request.
-> 
->   Which may or may not be a good thing, but is, I think, 
-> orthogonal to
->   the question of invalidating cached user credentials.
-> 
Technically yes.  However to make the 'reauth request' actually
work and be useable, both are necessary from a system view.

1) the server needs a way to send a message to the client saying
  please revalidate your credentials with the user
2) the server needs a way to detect that the client has
   or is at least claiming to knowingly complete the task
   (revalidate the credentials)

So, I guess Im lumping two things together in a sense.  I see the
 second part as an infrastructure item needed by the first to make it
 useable.

(else how would you know if the client actually revalidated?)

-> Scott Lawrence           EmWeb Embedded Server       
-> <lawrence@agranat.com>
-> Agranat Systems, Inc.        Engineering            
-> http://www.agranat.com/
->