- From: Scott Lawrence <scott-http@skrb.org>
- Date: Mon, 01 Dec 2003 10:59:05 -0500
- To: Adam Roach <adam@dynamicsoft.com>
- Cc: ietf-http-wg@w3.org
Adam Roach <adam@dynamicsoft.com> writes: >> 3.2.2.2 A1 > ... >> This creates a 'session key' for the authentication of subsequent >> requests and responses which is different for each "authentication >> session", thus limiting the amount of material hashed with any one >> key. (Note: see further discussion of the authentication >> session in >> section 3.3.) Because the server need only use the hash of the user >> credentials in order to create the A1 value, this >> construction could >> be used in conjunction with a third party authentication service so >> that the web server would not need the actual password value. The >> specification of such a protocol is beyond the scope of this >> specification. > > If we're opening this section for revisions, can we please > also address the issue of whether the session key is recalculated > when the server sends an Auth-Info header with nextnonce? I don't think that is ambiguous given the current text. If the server sends a nextnonce, then it wants the client to start using it. I don't think that servers that are choosing to use MD5-sess mode will do that very often, but that is a different question and not one that a standard needs to or should address. -- Scott Lawrence http://skrb.org/scott/
Received on Monday, 1 December 2003 10:59:11 UTC