W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2003

RFC 2617 Authentication sessions

From: Adam Roach <adam@dynamicsoft.com>
Date: Wed, 26 Nov 2003 11:56:46 -0600
Message-ID: <9BF66EBF6BEFD942915B4D4D45C051F3E8666B@dyn-tx-exch-001.dynamicsoft.com>
To: "'Scott Lawrence'" <scott-http@skrb.org>, ietf-http-wg@w3.org
Cc: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>, Adam Roach <adam@dynamicsoft.com>

Scott Lawrence [mailto:scott-http@skrb.org] wrote:

>   So that section would read:
> 
> 3.2.2.2 A1
...
>    This creates a 'session key' for the authentication of subsequent
>    requests and responses which is different for each "authentication
>    session", thus limiting the amount of material hashed with any one
>    key.  (Note: see further discussion of the authentication 
> session in
>    section 3.3.) Because the server need only use the hash of the user
>    credentials in order to create the A1 value, this 
> construction could
>    be used in conjunction with a third party authentication service so
>    that the web server would not need the actual password value.  The
>    specification of such a protocol is beyond the scope of this
>    specification.

If we're opening this section for revisions, can we please
also address the issue of whether the session key is recalculated
when the server sends an Auth-Info header with nextnonce?

/a
Received on Monday, 1 December 2003 09:34:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:25 GMT