RFC 2617 Authentication sessions

Scott Lawrence [mailto:scott-http@skrb.org] wrote:

>   So that section would read:
> 
> 3.2.2.2 A1
...
>    This creates a 'session key' for the authentication of subsequent
>    requests and responses which is different for each "authentication
>    session", thus limiting the amount of material hashed with any one
>    key.  (Note: see further discussion of the authentication 
> session in
>    section 3.3.) Because the server need only use the hash of the user
>    credentials in order to create the A1 value, this 
> construction could
>    be used in conjunction with a third party authentication service so
>    that the web server would not need the actual password value.  The
>    specification of such a protocol is beyond the scope of this
>    specification.

If we're opening this section for revisions, can we please
also address the issue of whether the session key is recalculated
when the server sends an Auth-Info header with nextnonce?

/a

Received on Monday, 1 December 2003 09:34:41 UTC