- From: Adam Roach <adam@dynamicsoft.com>
- Date: Wed, 26 Nov 2003 11:56:46 -0600
- To: "'Scott Lawrence'" <scott-http@skrb.org>, ietf-http-wg@w3.org
- Cc: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>, Adam Roach <adam@dynamicsoft.com>
Scott Lawrence [mailto:scott-http@skrb.org] wrote: > So that section would read: > > 3.2.2.2 A1 ... > This creates a 'session key' for the authentication of subsequent > requests and responses which is different for each "authentication > session", thus limiting the amount of material hashed with any one > key. (Note: see further discussion of the authentication > session in > section 3.3.) Because the server need only use the hash of the user > credentials in order to create the A1 value, this > construction could > be used in conjunction with a third party authentication service so > that the web server would not need the actual password value. The > specification of such a protocol is beyond the scope of this > specification. If we're opening this section for revisions, can we please also address the issue of whether the session key is recalculated when the server sends an Auth-Info header with nextnonce? /a
Received on Monday, 1 December 2003 09:34:41 UTC