One document matched: draft-oiwa-http-mutualauth-05.ps
%!PS-Adobe-3.0
%%Title: Mutual Authentication Protocol for HTTP
%%Creator: html2ps version 1.0 beta5
%%CreationDate: Tue Aug 18 23:13:17 2009
%%DocumentNeededResources: font Times-Roman Times-Bold Courier Courier-Oblique
%%+ font Helvetica
%%DocumentData: Clean7Bit
%%Orientation: Portrait
%%BoundingBox: 0 0 596 842
%%Pages: 27
%%EndComments
%%BeginProlog
/d {bind def} bind def
/D {def} d
/ie {ifelse} d
/E {exch} d
/t true D
/f false D
/FL [/Times-Roman
/Times-Italic
/Times-Bold
/Times-BoldItalic
/Courier
/Courier-Oblique
/Courier-Bold
/Courier-BoldOblique
/Helvetica
/Helvetica-Oblique
/Helvetica-Bold
/Helvetica-BoldOblique] D
/Cd {aload length 2 idiv dup dict begin {D} repeat currentdict end} D
/reencodeISO {
dup dup findfont dup length dict begin{1 index /FID ne{D}{pop pop}ie}forall
/Encoding ISOLatin1Encoding D currentdict end definefont} D
/ISOLatin1Encoding [
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright
/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash
/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon
/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N
/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright
/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m
/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/space/exclamdown/cent/sterling/currency/yen/brokenbar
/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot
/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior
/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine
/guillemotright/onequarter/onehalf/threequarters/questiondown
/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute
/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis
/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave
/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex
/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis
/yacute/thorn/ydieresis
] D
[128/backslash 129/parenleft 130/parenright 141/circumflex 142/tilde
143/perthousand 144/dagger 145/daggerdbl 146/Ydieresis 147/scaron 148/Scaron
149/oe 150/OE 151/guilsinglleft 152/guilsinglright 153/quotesinglbase
154/quotedblbase 155/quotedblleft 156/quotedblright 157/endash 158/emdash
159/trademark]
aload length 2 idiv 1 1 3 -1 roll{pop ISOLatin1Encoding 3 1 roll put}for
/colorimage where{pop}{
/colorimage {
pop pop /Pr E D {/Cv Pr D /Gr Cv length 3 idiv string D 0 1 Gr length 1 sub
{Gr E dup /i E 3 mul D Cv i get 0.299 mul Cv i 1 add get 0.587 mul add
Cv i 2 add get 0.114 mul add cvi put}for Gr} image} D
}ie
/pdfmark where{pop}{userdict /pdfmark /cleartomark load put}ie
/MySymbol 10 dict dup begin
/FontType 3 D /FontMatrix [.001 0 0 .001 0 0 ] D /FontBBox [25 -10 600 600] D
/Encoding 256 array D 0 1 255{Encoding exch /.notdef put}for
Encoding (e) 0 get /euro put
/Metrics 2 dict D Metrics begin
/.notdef 0 D
/euro 651 D
end
/BBox 2 dict D BBox begin
/.notdef [0 0 0 0] D
/euro [25 -10 600 600] D
end
/CharacterDefs 2 dict D CharacterDefs begin
/.notdef {} D
/euro{newpath 114 600 moveto 631 600 lineto 464 200 lineto 573 200 lineto
573 0 lineto -94 0 lineto 31 300 lineto -10 300 lineto closepath clip
50 setlinewidth newpath 656 300 moveto 381 300 275 0 360 arc stroke
-19 350 moveto 600 0 rlineto -19 250 moveto 600 0 rlineto stroke}d
end
/BuildChar{0 begin
/char E D /fontdict E D /charname fontdict /Encoding get char get D
fontdict begin
Metrics charname get 0 BBox charname get aload pop setcachedevice
CharacterDefs charname get exec
end
end}D
/BuildChar load 0 3 dict put /UniqueID 1 D
end
definefont pop
/Nf {dup 0 ge{FL E get}{-1 eq{/Symbol}{/MySymbol}ie}ie findfont
E scalefont setfont} D
/IP {currentfile picstr readhexstring pop} D
/WF t D
/F 1 D
/N {showpage} d
/RL {rlineto} d
/S {show} d
/L {lineto} d
/M {moveto} d
/A {awidthshow} d
/RM {rmoveto} d
%%EndProlog
%%BeginSetup
%%PaperSize: A4
WF{FL{reencodeISO D}forall}{4 1 FL length 1 sub{FL E get reencodeISO D}for}ie
/Symbol dup dup findfont dup length dict begin
{1 index /FID ne{D}{pop pop}ie}forall /Encoding [Encoding aload pop]
dup 128 /therefore put D currentdict end definefont D
[/Creator (html2ps version 1.0 beta5) /Author () /Keywords (HTTP, authentication) /Subject () /Title (Mutual Authentication Protocol for HTTP) /DOCINFO pdfmark
[/PageMode /UseOutlines /DOCVIEW pdfmark
[/Count 1 /Dest /117 /Title (Mutual Authentication Protocol for HTTP draft-oiwa-http-mutualauth-05) /OUT pdfmark
[/Count 53 /Dest /118 /Title () /OUT pdfmark
[/Dest /118 /Title (Status of this Memo) /OUT pdfmark
[/Dest /119 /Title (Copyright Notice) /OUT pdfmark
[/Dest /120 /Title (Abstract) /OUT pdfmark
[/Dest /121 /Title (Table of Contents) /OUT pdfmark
[/Dest /122 /Title (1. Introduction) /OUT pdfmark
[/Dest /123 /Title (1.1. Requirements Language) /OUT pdfmark
[/Dest /124 /Title (2. Protocol Overview) /OUT pdfmark
[/Dest /125 /Title (3. Message Syntax) /OUT pdfmark
[/Dest /126 /Title (3.1. Tokens and Extensive-tokens) /OUT pdfmark
[/Dest /127 /Title (3.2. Numbers) /OUT pdfmark
[/Dest /128 /Title (3.3. Strings) /OUT pdfmark
[/Dest /129 /Title (4. Messages) /OUT pdfmark
[/Dest /130 /Title (4.1. 401-B0) /OUT pdfmark
[/Dest /131 /Title (4.2. 401-B0-stale) /OUT pdfmark
[/Dest /132 /Title (4.3. req-A1) /OUT pdfmark
[/Dest /133 /Title (4.4. 401-B1) /OUT pdfmark
[/Dest /134 /Title (4.5. req-A3) /OUT pdfmark
[/Dest /135 /Title (4.6. 200-B4) /OUT pdfmark
[/Dest /136 /Title (5. Decision procedure for the client) /OUT pdfmark
[/Dest /137 /Title (6. Decision procedure for the server) /OUT pdfmark
[/Dest /138 /Title (7. Authentication-Control header) /OUT pdfmark
[/Dest /139 /Title (7.1. Location-when-unauthenticated field) /OUT pdfmark
[/Dest /140 /Title (7.2. Location-when-logout field) /OUT pdfmark
[/Dest /141 /Title (7.3. Logout-timeout) /OUT pdfmark
[/Dest /142 /Title (8. Authentication Algorithms) /OUT pdfmark
[/Dest /143 /Title (8.1. Common functions) /OUT pdfmark
[/Dest /144 /Title (8.2. Functions for discrete-logarithm settings) /OUT pdfmark
[/Dest /145 /Title (8.3. Functions for elliptic-curve settings) /OUT pdfmark
[/Dest /146 /Title (9. Authentication Realms) /OUT pdfmark
[/Dest /147 /Title (9.1. Resolving ambiguities) /OUT pdfmark
[/Dest /148 /Title (10. Validation Methods) /OUT pdfmark
[/Dest /149 /Title (11. Session Management) /OUT pdfmark
[/Dest /150 /Title (12. Optional Mutual Authentication) /OUT pdfmark
[/Dest /151 /Title (13. Methods to extend this protocol) /OUT pdfmark
[/Dest /152 /Title (14. IANA Considerations) /OUT pdfmark
[/Dest /153 /Title (15. Security Considerations) /OUT pdfmark
[/Dest /154 /Title (15.1. General Assumptions) /OUT pdfmark
[/Dest /155 /Title (15.2. Implementation Considerations) /OUT pdfmark
[/Dest /156 /Title (15.3. Usage Considerations) /OUT pdfmark
[/Dest /157 /Title (16. Notice on intellectual properties) /OUT pdfmark
[/Dest /158 /Title (17. Acknowledgement) /OUT pdfmark
[/Dest /159 /Title (18. References) /OUT pdfmark
[/Dest /160 /Title (18.1. Normative References) /OUT pdfmark
[/Dest /161 /Title (18.2. Informative References) /OUT pdfmark
[/Dest /162 /Title (Appendix A. Group parameters for discrete-logarithm based algorithms) /OUT pdfmark
[/Dest /163 /Title (Appendix B. Derived numerical values) /OUT pdfmark
[/Dest /164 /Title (Appendix C. Draft Remarks from the Authors) /OUT pdfmark
[/Dest /165 /Title (Appendix D. Draft Change Log) /OUT pdfmark
[/Dest /166 /Title (D.1. Changes in revision 05) /OUT pdfmark
[/Dest /167 /Title (D.2. Changes in revision 04) /OUT pdfmark
[/Dest /168 /Title (D.3. Changes in revision 03) /OUT pdfmark
[/Dest /169 /Title (D.4. Changes in revision 02) /OUT pdfmark
[/Dest /170 /Title (Authors' Addresses) /OUT pdfmark
%%EndSetup
%%Page: 1 1
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 842 null] /Dest /0 /DEST pdfmark
0 -0 M
save
2.5 -13.5 M
%%IncludeResource: font Times-Roman
11 0 Nf
(Internet Engineering Task ) S
(Force) S
199 -13.5 M
(Y. ) S
(Oiwa) S
2.5 -32.2 M
(Internet-Draft) S
199 -32.2 M
(H. ) S
(Watanabe) S
2.5 -51 M
(Intended status: Standards ) S
(Track) S
199 -51 M
(H. ) S
(Takagi) S
2.5 -69.8 M
(Expires: February 19, ) S
(2010) S
199 -69.8 M
(RCIS, ) S
(AIST) S
2.5 -88.5 M
(\240) S
199 -88.5 M
(H. ) S
(Suzuki) S
2.5 -107.2 M
(\240) S
199 -107.2 M
(Yahoo! ) S
(Japan) S
2.5 -126 M
(\240) S
199 -126 M
(August 18, ) S
(2009) S
0 -131.2 M
restore
227 -146.4 M
[/View [/XYZ -4 842 null] /Dest /117 /DEST pdfmark
54.5 -165.4 M
%%IncludeResource: font Times-Bold
19 2 Nf
(Mutual Authentication Protocol for ) S
(HTTP) S
100.9 -188.2 M
(draft-oiwa-http-mutualauth-05) S
0 -218.2 M
15 2 Nf
(Status) S
[/View [/XYZ -4 556.753906 null] /Dest /118 /DEST pdfmark
( of this ) S
(Memo) S
0 -242.4 M
11 0 Nf
2.34263396 0 32 0 0 (This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP\24078 and ) A
0 -255.6 M
(BCP\24079.) S
0 -279.8 M
0.0139508927 0 32 0 0 (Internet-Drafts are working documents of the Internet Engineering Task Force \(IETF\), its areas, and its) A
0 -293 M
(working groups. Note that other groups may also distribute working documents as ) S
(Internet-Drafts.) S
0 -317.2 M
0.275781244 0 32 0 0 (Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced,) A
0 -330.4 M
1.51927078 0 32 0 0 (or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference) A
0 -343.6 M
(material or to cite them other than as \233work in ) S
(progress.\234) S
0 -367.8 M
(The list of current Internet-Drafts can be accessed at ) S
(http://www.ietf.org/ietf/1id-abstracts.txt) S
[/Rect [231.980469 -370.589844 410.199219 -358.489838] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://www.ietf.org/ietf/1id-abstracts.txt)] Cd /ANN pdfmark
(.) S
0 -392 M
(The list of Internet-Draft Shadow Directories can be accessed at ) S
(http://www.ietf.org/shadow.html) S
[/Rect [283.601562 -394.789062 430.082031 -382.689056] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://www.ietf.org/shadow.html)] Cd /ANN pdfmark
(.) S
0 -416.2 M
(This Internet-Draft will expire on February 19, ) S
(2010.) S
0 -446.2 M
15 2 Nf
(Copyright) S
[/View [/XYZ -4 328.761719 null] /Dest /119 /DEST pdfmark
( ) S
(Notice) S
0 -470.4 M
11 0 Nf
(Copyright \(c\) 2009 IETF Trust and the persons identified as the document authors. All rights ) S
(reserved.) S
0 -494.6 M
3.1208334 0 32 0 0 (This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF) A
0 -507.8 M
1.34730113 0 32 0 0 (Documents in effect on the date of publication of this document \(http://trustee.ietf.org/license-info\).) A
0 -521 M
0.819475472 0 32 0 0 (Please review these documents carefully, as they describe your rights and restrictions with respect to) A
0 -534.2 M
(this ) S
(document.) S
0 -564.2 M
15 2 Nf
(Abstract) S
[/View [/XYZ -4 210.765625 null] /Dest /120 /DEST pdfmark
0 -588.4 M
11 0 Nf
0.252485782 0 32 0 0 (This document specifies the "Mutual authentication protocol for Hyper-Text Transport Protocol". This) A
0 -601.6 M
4.2045455 0 32 0 0 (protocol provides true mutual authentication between HTTP clients and servers using simple) A
0 -614.8 M
2.15195322 0 32 0 0 (password-based authentication. Unlike Basic and Digest HTTP access authentication protocol, the) A
0 -628 M
5.26207399 0 32 0 0 (protocol ensures that server knows the user's entity \(encrypted password\) upon successful) A
0 -641.2 M
0.621804 0 32 0 0 (authentication. This prevents common phishing attacks: phishing attackers cannot convince users that) A
0 -654.4 M
2.18932295 0 32 0 0 (the user has been authenticated to the genuine website. Furthermore, even when a user has been) A
0 -667.6 M
0.557477653 0 32 0 0 (authenticated against an illegitimate server, the server cannot gain any bit of information about user's) A
0 -667.6 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 1 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 2 2
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.24869788 0 32 0 0 (passwords. The protocol is designed as an extension to the HTTP protocol, and the protocol design) A
0 -26.4 M
11 0 Nf
0.762784064 0 32 0 0 (intends to replace existing authentication mechanism such as Basic/Digest access authentications and) A
0 -39.6 M
(form-based authentications. ) S
0 -50.6 M
[/View [/XYZ -4 706.402344 null] /Dest /1 /DEST pdfmark
0 -69.6 M
%%IncludeResource: font Times-Bold
15 2 Nf
(Table) S
[/View [/XYZ -4 705.402344 null] /Dest /121 /DEST pdfmark
( of ) S
(Contents) S
0 -93.8 M
11 0 Nf
(1.) S
[/Rect [-1.0 -96.546875 9.25 -84.4468765] /Subtype /Link /Border [0 0 1] /Dest /2 /ANN pdfmark
(\240 ) S
(Introduction) S
0 -107 M
(\240\240\240\240) S
(1.1.) S
[/Rect [10.0 -109.746094 28.5 -97.6460953] /Subtype /Link /Border [0 0 1] /Dest /4 /ANN pdfmark
(\240 Requirements ) S
(Language) S
0 -120.2 M
(2.) S
[/Rect [-1.0 -122.945312 9.25 -110.845314] /Subtype /Link /Border [0 0 1] /Dest /6 /ANN pdfmark
(\240 Protocol ) S
(Overview) S
0 -133.4 M
(3.) S
[/Rect [-1.0 -136.144531 9.25 -124.044533] /Subtype /Link /Border [0 0 1] /Dest /8 /ANN pdfmark
(\240 Message ) S
(Syntax) S
0 -146.6 M
(\240\240\240\240) S
(3.1.) S
[/Rect [10.0 -149.34375 28.5 -137.243744] /Subtype /Link /Border [0 0 1] /Dest /11 /ANN pdfmark
(\240 Tokens and ) S
(Extensive-tokens) S
0 -159.8 M
(\240\240\240\240) S
(3.2.) S
[/Rect [10.0 -162.542969 28.5 -150.442963] /Subtype /Link /Border [0 0 1] /Dest /13 /ANN pdfmark
(\240 ) S
(Numbers) S
0 -173 M
(\240\240\240\240) S
(3.3.) S
[/Rect [10.0 -175.742188 28.5 -163.642181] /Subtype /Link /Border [0 0 1] /Dest /15 /ANN pdfmark
(\240 ) S
(Strings) S
0 -186.2 M
(4.) S
[/Rect [-1.0 -188.941406 9.25 -176.8414] /Subtype /Link /Border [0 0 1] /Dest /17 /ANN pdfmark
(\240 ) S
(Messages) S
0 -199.4 M
(\240\240\240\240) S
(4.1.) S
[/Rect [10.0 -202.140625 28.5 -190.040619] /Subtype /Link /Border [0 0 1] /Dest /19 /ANN pdfmark
(\240 ) S
(401-B0) S
0 -212.6 M
(\240\240\240\240) S
(4.2.) S
[/Rect [10.0 -215.339844 28.5 -203.239838] /Subtype /Link /Border [0 0 1] /Dest /21 /ANN pdfmark
(\240 ) S
(401-B0-stale) S
0 -225.8 M
(\240\240\240\240) S
(4.3.) S
[/Rect [10.0 -228.539062 28.5 -216.439056] /Subtype /Link /Border [0 0 1] /Dest /23 /ANN pdfmark
(\240 ) S
(req-A1) S
0 -239 M
(\240\240\240\240) S
(4.4.) S
[/Rect [10.0 -241.738281 28.5 -229.638275] /Subtype /Link /Border [0 0 1] /Dest /25 /ANN pdfmark
(\240 ) S
(401-B1) S
0 -252.2 M
(\240\240\240\240) S
(4.5.) S
[/Rect [10.0 -254.9375 28.5 -242.837494] /Subtype /Link /Border [0 0 1] /Dest /27 /ANN pdfmark
(\240 ) S
(req-A3) S
0 -265.4 M
(\240\240\240\240) S
(4.6.) S
[/Rect [10.0 -268.136719 28.5 -256.036713] /Subtype /Link /Border [0 0 1] /Dest /29 /ANN pdfmark
(\240 ) S
(200-B4) S
0 -278.6 M
(5.) S
[/Rect [-1.0 -281.335938 9.25 -269.235931] /Subtype /Link /Border [0 0 1] /Dest /31 /ANN pdfmark
(\240 Decision procedure for the ) S
(client) S
0 -291.8 M
(6.) S
[/Rect [-1.0 -294.535156 9.25 -282.43515] /Subtype /Link /Border [0 0 1] /Dest /34 /ANN pdfmark
(\240 Decision procedure for the ) S
(server) S
0 -305 M
(7.) S
[/Rect [-1.0 -307.734375 9.25 -295.634369] /Subtype /Link /Border [0 0 1] /Dest /36 /ANN pdfmark
(\240 Authentication-Control ) S
(header) S
0 -318.2 M
(\240\240\240\240) S
(7.1.) S
[/Rect [10.0 -320.933594 28.5 -308.833588] /Subtype /Link /Border [0 0 1] /Dest /38 /ANN pdfmark
(\240 Location-when-unauthenticated ) S
(field) S
0 -331.4 M
(\240\240\240\240) S
(7.2.) S
[/Rect [10.0 -334.132812 28.5 -322.032806] /Subtype /Link /Border [0 0 1] /Dest /40 /ANN pdfmark
(\240 Location-when-logout ) S
(field) S
0 -344.6 M
(\240\240\240\240) S
(7.3.) S
[/Rect [10.0 -347.332031 28.5 -335.232025] /Subtype /Link /Border [0 0 1] /Dest /42 /ANN pdfmark
(\240 ) S
(Logout-timeout) S
0 -357.8 M
(8.) S
[/Rect [-1.0 -360.53125 9.25 -348.431244] /Subtype /Link /Border [0 0 1] /Dest /44 /ANN pdfmark
(\240 Authentication ) S
(Algorithms) S
0 -371 M
(\240\240\240\240) S
(8.1.) S
[/Rect [10.0 -373.730469 28.5 -361.630463] /Subtype /Link /Border [0 0 1] /Dest /46 /ANN pdfmark
(\240 Common ) S
(functions) S
0 -384.2 M
(\240\240\240\240) S
(8.2.) S
[/Rect [10.0 -386.929688 28.5 -374.829681] /Subtype /Link /Border [0 0 1] /Dest /48 /ANN pdfmark
(\240 Functions for discrete-logarithm ) S
(settings) S
0 -397.4 M
(\240\240\240\240) S
(8.3.) S
[/Rect [10.0 -400.128906 28.5 -388.0289] /Subtype /Link /Border [0 0 1] /Dest /50 /ANN pdfmark
(\240 Functions for elliptic-curve ) S
(settings) S
0 -410.6 M
(9.) S
[/Rect [-1.0 -413.328125 9.25 -401.228119] /Subtype /Link /Border [0 0 1] /Dest /52 /ANN pdfmark
(\240 Authentication ) S
(Realms) S
0 -423.8 M
(\240\240\240\240) S
(9.1.) S
[/Rect [10.0 -426.527344 28.5 -414.427338] /Subtype /Link /Border [0 0 1] /Dest /54 /ANN pdfmark
(\240 Resolving ) S
(ambiguities) S
0 -437 M
(10.) S
[/Rect [-1.0 -439.726562 14.75 -427.626556] /Subtype /Link /Border [0 0 1] /Dest /56 /ANN pdfmark
(\240 Validation ) S
(Methods) S
0 -450.2 M
(11.) S
[/Rect [-1.0 -452.925781 14.75 -440.825775] /Subtype /Link /Border [0 0 1] /Dest /58 /ANN pdfmark
(\240 Session ) S
(Management) S
0 -463.4 M
(12.) S
[/Rect [-1.0 -466.125 14.75 -454.025] /Subtype /Link /Border [0 0 1] /Dest /60 /ANN pdfmark
(\240 Optional Mutual ) S
(Authentication) S
0 -476.6 M
(13.) S
[/Rect [-1.0 -479.324219 14.75 -467.224213] /Subtype /Link /Border [0 0 1] /Dest /62 /ANN pdfmark
(\240 Methods to extend this ) S
(protocol) S
0 -489.8 M
(14.) S
[/Rect [-1.0 -492.523438 14.75 -480.423431] /Subtype /Link /Border [0 0 1] /Dest /64 /ANN pdfmark
(\240 IANA ) S
(Considerations) S
0 -503 M
(15.) S
[/Rect [-1.0 -505.722656 14.75 -493.62265] /Subtype /Link /Border [0 0 1] /Dest /66 /ANN pdfmark
(\240 Security ) S
(Considerations) S
0 -516.2 M
(\240\240\240\240) S
(15.1.) S
[/Rect [10.0 -518.921875 34.0 -506.821869] /Subtype /Link /Border [0 0 1] /Dest /68 /ANN pdfmark
(\240 General ) S
(Assumptions) S
0 -529.4 M
(\240\240\240\240) S
(15.2.) S
[/Rect [10.0 -532.121094 34.0 -520.021118] /Subtype /Link /Border [0 0 1] /Dest /70 /ANN pdfmark
(\240 Implementation ) S
(Considerations) S
0 -542.6 M
(\240\240\240\240) S
(15.3.) S
[/Rect [10.0 -545.320312 34.0 -533.220337] /Subtype /Link /Border [0 0 1] /Dest /72 /ANN pdfmark
(\240 Usage ) S
(Considerations) S
0 -555.8 M
(16.) S
[/Rect [-1.0 -558.519531 14.75 -546.419556] /Subtype /Link /Border [0 0 1] /Dest /74 /ANN pdfmark
(\240 Notice on intellectual ) S
(properties) S
0 -569 M
(17.) S
[/Rect [-1.0 -571.71875 14.75 -559.618774] /Subtype /Link /Border [0 0 1] /Dest /76 /ANN pdfmark
(\240 ) S
(Acknowledgement) S
0 -582.2 M
(18.) S
[/Rect [-1.0 -584.917969 14.75 -572.818] /Subtype /Link /Border [0 0 1] /Dest /80 /ANN pdfmark
(\240 ) S
(References) S
0 -595.4 M
(\240\240\240\240) S
(18.1.) S
[/Rect [10.0 -598.117188 34.0 -586.017212] /Subtype /Link /Border [0 0 1] /Dest /80 /ANN pdfmark
(\240 Normative ) S
(References) S
0 -608.6 M
(\240\240\240\240) S
(18.2.) S
[/Rect [10.0 -611.316406 34.0 -599.216431] /Subtype /Link /Border [0 0 1] /Dest /90 /ANN pdfmark
(\240 Informative ) S
(References) S
0 -621.8 M
(Appendix\240A.) S
[/Rect [-1.0 -624.515625 57.8203125 -612.415649] /Subtype /Link /Border [0 0 1] /Dest /100 /ANN pdfmark
(\240 Group parameters for discrete-logarithm based ) S
(algorithms) S
0 -635 M
(Appendix\240B.) S
[/Rect [-1.0 -637.714844 57.2148438 -625.614868] /Subtype /Link /Border [0 0 1] /Dest /102 /ANN pdfmark
(\240 Derived numerical ) S
(values) S
0 -648.2 M
(Appendix\240C.) S
[/Rect [-1.0 -650.914062 57.2148438 -638.814087] /Subtype /Link /Border [0 0 1] /Dest /104 /ANN pdfmark
(\240 Draft Remarks from the ) S
(Authors) S
0 -661.4 M
(Appendix\240D.) S
[/Rect [-1.0 -664.113281 57.8203125 -652.013306] /Subtype /Link /Border [0 0 1] /Dest /106 /ANN pdfmark
(\240 Draft Change ) S
(Log) S
0 -661.4 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 2 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 3 3
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(\240\240\240\240) S
(D.1.) S
[/Rect [10.0 -15.9492188 30.9414062 -3.84921837] /Subtype /Link /Border [0 0 1] /Dest /108 /ANN pdfmark
(\240 Changes in revision ) S
(05) S
0 -26.4 M
11 0 Nf
(\240\240\240\240) S
(D.2.) S
[/Rect [10.0 -29.1484375 30.9414062 -17.0484371] /Subtype /Link /Border [0 0 1] /Dest /110 /ANN pdfmark
(\240 Changes in revision ) S
(04) S
0 -39.6 M
(\240\240\240\240) S
(D.3.) S
[/Rect [10.0 -42.3476562 30.9414062 -30.2476559] /Subtype /Link /Border [0 0 1] /Dest /112 /ANN pdfmark
(\240 Changes in revision ) S
(03) S
0 -52.8 M
(\240\240\240\240) S
(D.4.) S
[/Rect [10.0 -55.546875 30.9414062 -43.4468765] /Subtype /Link /Border [0 0 1] /Dest /114 /ANN pdfmark
(\240 Changes in revision ) S
(02) S
0 -66 M
(\247) S
[/Rect [-1.0 -68.7460938 6.5 -56.6460953] /Subtype /Link /Border [0 0 1] /Dest /116 /ANN pdfmark
(\240 Authors' ) S
(Addresses) S
0 -77 M
[/View [/XYZ -4 680.003906 null] /Dest /2 /DEST pdfmark
0 -77 M
[/View [/XYZ -4 680.003906 null] /Dest /3 /DEST pdfmark
0 -96 M
%%IncludeResource: font Times-Bold
15 2 Nf
(1.) S
[/View [/XYZ -4 679.003906 null] /Dest /122 /DEST pdfmark
( ) S
(Introduction) S
0 -120.2 M
11 0 Nf
0.252485782 0 32 0 0 (This document specifies the "Mutual authentication protocol for Hyper-Text Transport Protocol". This) A
0 -133.4 M
4.2045455 0 32 0 0 (protocol provides true mutual authentication between HTTP clients and servers using simple) A
0 -146.6 M
4.49522591 0 32 0 0 (password-based authentication. Unlike ) A
4.49522591 0 32 0 0 (Basic and Digest HTTP access authentication ) A
4.49522591 0 32 0 0 (protocol) A
[/Rect [185.957031 -149.34375 454.972656 -137.243744] /Subtype /Link /Border [0 0 1] /Dest /96 /ANN pdfmark
0 -159.8 M
2.83626294 0 32 0 0 ([RFC2617], the protocol ensures that server knows the user's entity \(encrypted password\) upon) A
0 -173 M
0.348437488 0 32 0 0 (successful authentication. This prevents common phishing attacks: phishing attackers cannot convince) A
0 -186.2 M
0.735351562 0 32 0 0 (users that the user has been authenticated to the genuine website. Furthermore, even when a user has) A
0 -199.4 M
0.949776769 0 32 0 0 (been authenticated against an illegitimate server, the server cannot gain any bit of information about) A
0 -212.6 M
(user's ) S
(passwords.) S
0 -236.8 M
1.95973563 0 32 0 0 (Recently, phishing attacks are getting more and more sophisticated. Phishers not only steal user's) A
0 -250 M
0.318359375 0 32 0 0 (password directly, but imitate successful authentication to steal user's sensitive information, check the) A
0 -263.2 M
0.24609375 0 32 0 0 (password validity by forwarding the password to the legitimate server, or employ a man-in-the-middle) A
0 -276.4 M
1.81835938 0 32 0 0 (attack to hijack user's login session. Existing countermeasures such as one-time passwords cannot) A
0 -289.6 M
(completely solve these ) S
(problems.) S
0 -313.8 M
1.33359373 0 32 0 0 (The protocol prevents such attacks by providing users a way to discriminate between true and fake) A
0 -327 M
0.771972656 0 32 0 0 (web servers using their own passwords. Even when a user inputs his/her password to a fake website,) A
0 -340.2 M
0.148697913 0 32 0 0 (using this authentication method, any information about the password does not leak to the phisher, and) A
0 -353.4 M
3.1595552 0 32 0 0 (the user certainly notices that the mutual authentication has failed. Phishers cannot make such) A
0 -366.6 M
0.380208343 0 32 0 0 (authentication attempt succeed, even if they forward received data from a user to the legitimate server) A
0 -379.8 M
0.728630543 0 32 0 0 (or vice versa. Users can safely input sensitive data to the web forms after confirming that the mutual) A
0 -393 M
(authentication has succeeded. ) S
0 -417.2 M
0.399274558 0 32 0 0 (To achieve this goal, this protocol uses a mechanism in ) A
0.399274558 0 32 0 0 (ISO/IEC ) A
0.399274558 0 32 0 0 (11770-4) A
[/Rect [248.867188 -419.929688 329.160156 -407.829681] /Subtype /Link /Border [0 0 1] /Dest /93 /ANN pdfmark
0.399274558 0 32 0 0 ( [ISO.11770-4.2006], a kind) A
0 -430.4 M
1.46321619 0 32 0 0 (of PAKE \(Password-Authenticated Key Exchange\) authentication algorithms as a basis. The use of) A
0 -443.6 M
1.28125 0 32 0 0 (PAKE mechanism allows users to use familiar ID/password based accesses, without fear of leaking) A
0 -456.8 M
2.04453135 0 32 0 0 (any password information to the communication peer. The protocol, as a whole, is designed as a) A
0 -470 M
(natural extension to the ) S
(HTTP ) S
(protocol) S
[/Rect [104.679688 -472.726562 173.574219 -460.626556] /Subtype /Link /Border [0 0 1] /Dest /95 /ANN pdfmark
( [RFC2616]. ) S
0 -494.2 M
0.436298072 0 32 0 0 (The design also considers to replace current form-based Web authentication, which is very vulnerable) A
0 -507.4 M
4.42613649 0 32 0 0 (against phishing attacks. To this purpose, several extensions to ) A
4.42613649 0 32 0 0 (current HTTP authentication ) A
[/Rect [317.707031 -510.125 462.171875 -498.025] /Subtype /Link /Border [0 0 1] /Dest /96 /ANN pdfmark
0 -520.6 M
(mechanism) S
[/Rect [-1.0 -523.324219 51.0898438 -511.224213] /Subtype /Link /Border [0 0 1] /Dest /96 /ANN pdfmark
( [RFC2617] are introduced. ) S
0 -531.6 M
[/View [/XYZ -4 225.425781 null] /Dest /4 /DEST pdfmark
0 -531.6 M
[/View [/XYZ -4 225.425781 null] /Dest /5 /DEST pdfmark
0 -550.6 M
15 2 Nf
(1.1.) S
[/View [/XYZ -4 224.425781 null] /Dest /123 /DEST pdfmark
( Requirements ) S
(Language) S
0 -574.8 M
11 0 Nf
1.89609373 0 32 0 0 (The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",) A
0 -588 M
2.6889205 0 32 0 0 ("SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be) A
0 -601.2 M
(interpreted as described in ) S
([RFC2119]) S
[/Rect [117.488281 -603.921875 169.59375 -591.821899] /Subtype /Link /Border [0 0 1] /Dest /83 /ANN pdfmark
(.) S
0 -612.2 M
[/View [/XYZ -4 144.828125 null] /Dest /6 /DEST pdfmark
0 -612.2 M
[/View [/XYZ -4 144.828125 null] /Dest /7 /DEST pdfmark
0 -613.2 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 3 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 4 4
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(2.) S
[/View [/XYZ -4 757.0 null] /Dest /124 /DEST pdfmark
( Protocol ) S
(Overview) S
0 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The following sequence is a typical sequence for the first access to the resource. ) S
11 -62.8 M
gsave
0 setgray
newpath
11.0 -62.7695312 2.75 0 360 arc
closepath
fill
grestore
22 -66.4 M
1.54326928 0 32 0 0 (If the server \(S\) has received a request for mutual-authentication protected resources from the) A
22 -79.6 M
(Client \(C\) \(which is not a req-A1 nor a req-A3 message\), it sends a 401-B0 message to C. ) S
22 -92.8 M
0.579166651 0 32 0 0 (When C has received a 401-B0 message, C SHOULD check validity of the message. If succeed,) A
22 -106 M
(C processes the body of the message, and enables the password entry field. ) S
11 -116.6 M
gsave
0 setgray
newpath
11.0 -116.566406 2.75 0 360 arc
closepath
fill
grestore
22 -120.2 M
0.160590276 0 32 0 0 (If the user has input the username and password as a response to the 401-B0 message, C creates a) A
22 -133.4 M
(value s_A, calculates the value w_A, and then constructs and sends a req-A1 message. ) S
11 -144 M
gsave
0 setgray
newpath
11.0 -143.964844 2.75 0 360 arc
closepath
fill
grestore
22 -147.6 M
1.15527344 0 32 0 0 (If S has received a req-A1 message, S should check validity of w_A, record the received w_A) A
22 -160.8 M
0.746710539 0 32 0 0 (value, and then look up the username from the user table. if the user is found, S prepares a new) A
22 -174 M
0.12109375 0 32 0 0 (session id \(sid\), records it into a session table, and then constructs s_B, calculates w_B, and sends) A
22 -187.2 M
(a 401-B1 message. ) S
22 -200.4 M
0.781020224 0 32 0 0 (If there is no matching user found, the server SHOULD construct a fake w_B value, and let the) A
22 -213.6 M
(protocol going on by sending an 401-B1 message. ) S
11 -224.2 M
gsave
0 setgray
newpath
11.0 -224.160156 2.75 0 360 arc
closepath
fill
grestore
22 -227.8 M
1.47875977 0 32 0 0 (When C has received a 401-B1 message as a response for a req-A1 message, C should check) A
22 -241 M
(validity of w_B, and compute z and o_A, and send a req-A3 message. ) S
22 -254.2 M
0.0649414062 0 32 0 0 (If C receives any messages other than 401-B1, C MUST NOT process the message body and treat) A
22 -267.4 M
2.69363832 0 32 0 0 (it as a fatal communication error condition. This case includes the reception of HTTP OK) A
22 -280.6 M
(\(200-status\) message. ) S
11 -291.2 M
gsave
0 setgray
newpath
11.0 -291.15625 2.75 0 360 arc
closepath
fill
grestore
22 -294.8 M
0.754557312 0 32 0 0 (If S has received a req-A3 message, S should look up the received sid from the session table. If) A
22 -308 M
0.00854492188 0 32 0 0 (there is no matching sid, or if S has not received the corresponding req-A1 message beforehand, S) A
22 -321.2 M
(SHOULD send a 401-B0-stale message. ) S
22 -334.4 M
0.713623047 0 32 0 0 (Otherwise, S should compute o_A and check its value. If the validation has failed, it means that) A
22 -347.6 M
(the authentication has been failed. The server SHOULD send a 401-B0 message. ) S
22 -360.8 M
(If the validation has succeeded, the server SHOULD calculate o_B, and send a 200-B4 message. ) S
11 -371.4 M
gsave
0 setgray
newpath
11.0 -371.351562 2.75 0 360 arc
closepath
fill
grestore
22 -375 M
1.39131439 0 32 0 0 (In a response to a req-B1 message, when C has received a 401-B0 message, it means that the) A
22 -388.2 M
0.596875 0 32 0 0 (authentication has been failed, possibly due to that the wrong password has been given. C MAY) A
22 -401.4 M
(ignore the body of the 401-B0 message in this case. ) S
22 -414.6 M
0.98046875 0 32 0 0 (When C has received a 200-B4 message, C MUST first compute the value of o_B and validate) A
22 -427.8 M
0.0746527761 0 32 0 0 (the value o_B sent from the server. If it has not verified successfully, C MUST ignore the body of) A
22 -441 M
1.01534593 0 32 0 0 (the message, and treat the situation as a fatal communication error condition. If the verification) A
22 -454.2 M
(has succeed, C will process the body of the message. ) S
22 -467.4 M
2.2877605 0 32 0 0 (If C receives any messages other than 401-B0 or valid 200-B4, C MUST NOT process the) A
22 -480.6 M
0.784114599 0 32 0 0 (message body and other headers and treat it as a fatal communication error condition. This case) A
22 -493.8 M
(includes the reception of usual HTTP OK \(200-status\) messages. ) S
0 -518 M
0.0849609375 0 32 0 0 (For the second or later request to the server, if the client knows that the resource is likely to require the) A
0 -531.2 M
4.678267 0 32 0 0 (authentication, the client MAY omit first unauthenticated request and send req-A1 message) A
0 -544.4 M
1.3393842 0 32 0 0 (immediately. In this case, the first \(and only the first\) response from the server MAY be a normal,) A
0 -557.6 M
(unauthenticated message, and client MAY accept such messages. ) S
0 -581.8 M
1.49780273 0 32 0 0 (Furthermore, if client owns a valid session ID \(sid\), the client MAY send a req-A3 message using) A
0 -595 M
0.275146484 0 32 0 0 (existing sid. In such cases, the server MAY have been thrown out the corresponding sessions from the) A
0 -608.2 M
0.697021484 0 32 0 0 (session table. In this case, the server SHOULD send a 401-B0-stale message as a response to req-A3) A
0 -621.4 M
(message, and C SHOULD retry from constructing a req-A1 message. ) S
0 -632.4 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 4 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 5 5
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(For more detail, see ) S
(Section\2405) S
[/Rect [89.09375 -15.9492188 132.332031 -3.84921837] /Subtype /Link /Border [0 0 1] /Dest /31 /ANN pdfmark
(. ) S
0 -24.2 M
[/View [/XYZ -4 732.800781 null] /Dest /8 /DEST pdfmark
0 -24.2 M
[/View [/XYZ -4 732.800781 null] /Dest /9 /DEST pdfmark
0 -43.2 M
%%IncludeResource: font Times-Bold
15 2 Nf
(3.) S
[/View [/XYZ -4 731.800781 null] /Dest /125 /DEST pdfmark
( Message ) S
(Syntax) S
0 -67.4 M
11 0 Nf
1.15234375 0 32 0 0 (The Mutual authentication protocol uses five headers: WWW-Authenticate \(in responses with status) A
0 -80.6 M
11.1660156 0 32 0 0 (code 401\), Optional-WWW-Authenticate \(in responses with positive status codes\),) A
0 -93.8 M
4.67578125 0 32 0 0 (Authentication-Control \(in responses\), Authorization \(in requests\), and Authentication-info \(in) A
0 -107 M
0.511439741 0 32 0 0 (positive responses\). These five headers share the common syntax described in ) A
0.511439741 0 32 0 0 (Figure\2401) A
[/Rect [350.316406 -109.746094 389.277344 -97.6460953] /Subtype /Link /Border [0 0 1] /Dest /10 /ANN pdfmark
0.511439741 0 32 0 0 (. The syntax is) A
0 -120.2 M
2.27685547 0 32 0 0 (denoted in the augmented BNF syntax defined in ) A
2.27685547 0 32 0 0 ([RFC5234]) A
[/Rect [235.898438 -122.945312 288.003906 -110.845314] /Subtype /Link /Border [0 0 1] /Dest /88 /ANN pdfmark
2.27685547 0 32 0 0 (. The syntax is a subset of the one) A
0 -133.4 M
(described in ) S
([RFC2617]) S
[/Rect [55.1953125 -136.144531 107.300781 -124.044533] /Subtype /Link /Border [0 0 1] /Dest /96 /ANN pdfmark
(. ) S
0 -144.4 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -155.4 M
[/View [/XYZ -4 601.605469 null] /Dest /10 /DEST pdfmark
0 -166.2 M
%%IncludeResource: font Courier
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(header) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(header-name) S
9.0 4 Nf
( ":" [) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(] ) S
9.0 5 Nf
(auth-scheme) S
9.0 4 Nf
( ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(fields) S
0 -177 M
9.0 4 Nf
( ) S
9.0 5 Nf
(header-name) S
9.0 4 Nf
( = "WWW-Authenticate" / "Optional-WWW-Authenticate") S
0 -187.8 M
( / "Authorization" / "Authentication-info") S
0 -198.6 M
( / "Authentication-Control") S
0 -209.4 M
9.0 4 Nf
( ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( = 1*\(" " / %x09 / %x0D.0A \(" " / %x09\)\) ) S
9.0 5 Nf
(; LWSP) S
0 -220.2 M
9.0 4 Nf
( ) S
9.0 5 Nf
(auth-scheme) S
9.0 4 Nf
( = "Mutual" ) S
9.0 5 Nf
(; see HTTP for other values) S
0 -231 M
9.0 4 Nf
( ) S
9.0 5 Nf
(fields) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(field) S
9.0 4 Nf
( *\([) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(] "," ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(field) S
9.0 4 Nf
(\)) S
0 -241.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(field) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(key) S
9.0 4 Nf
( "=" ) S
9.0 5 Nf
(value) S
0 -252.6 M
9.0 4 Nf
( ) S
9.0 5 Nf
(key) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(extensive-token) S
0 -263.4 M
9.0 4 Nf
( ) S
9.0 5 Nf
(extensive-token) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(token) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(extension-token) S
0 -274.2 M
9.0 4 Nf
( ) S
9.0 5 Nf
(extension-token) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(token) S
9.0 4 Nf
( "@" ) S
9.0 5 Nf
(token) S
0 -285 M
9.0 4 Nf
( ) S
9.0 5 Nf
(token) S
9.0 4 Nf
( = 1*\(%x30-39 / %x41-5A / %x61-7A / "." / "-" / "_"\)) S
0 -295.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(value) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(extensive-token) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(integer) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(hex-integer) S
0 -306.6 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(hex-fixed-number) S
0 -317.4 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(base64-fixed-number) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(string) S
0 -328.1 M
9.0 4 Nf
( ) S
9.0 5 Nf
(integer) S
9.0 4 Nf
( = "0" / \(%x31-39 *%x30-39\) ) S
9.0 5 Nf
(; no leading zeros) S
0 -338.9 M
9.0 4 Nf
( ) S
9.0 5 Nf
(hex-integer) S
9.0 4 Nf
( = "0") S
0 -349.7 M
9.0 4 Nf
( / \(\(%x31-39 / %x41-46 / %x61-66\) ) S
9.0 5 Nf
(; no leading zeros) S
0 -360.5 M
9.0 4 Nf
( *\(%x30-39 / %x41-46 / %x61-66\)\)) S
0 -371.3 M
9.0 4 Nf
( ) S
9.0 5 Nf
(hex-fixed-number) S
9.0 4 Nf
( = 1*\(%x30-39 / %x41-46 / %x61-66\)) S
0 -382.1 M
9.0 4 Nf
( ) S
9.0 5 Nf
(base64-fixed-number) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(string) S
0 -392.9 M
9.0 4 Nf
( ) S
9.0 5 Nf
(string) S
9.0 4 Nf
( = %x22 *\(%x20-21 / %x23-5B / %x5D-FF) S
0 -403.7 M
( / %x5C.22 / "\\\\" / "\\,"\) %x22) S
125.3 -426.7 M
7.63889 2 Nf
(\240Figure\2401: the BNF syntax for the headers used in the ) S
(protocol\240) S
0 -440.6 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -451.6 M
[/View [/XYZ -4 305.4375 null] /Dest /11 /DEST pdfmark
0 -451.6 M
[/View [/XYZ -4 305.4375 null] /Dest /12 /DEST pdfmark
0 -470.6 M
15 2 Nf
(3.1.) S
[/View [/XYZ -4 304.4375 null] /Dest /126 /DEST pdfmark
( Tokens and ) S
(Extensive-tokens) S
0 -494.8 M
11 0 Nf
0.497656256 0 32 0 0 (The tokens MUST be interpreted case-insensitively, and SHOULD be sent in the same case as shown) A
0 -508 M
2.8210938 0 32 0 0 (in the specification. When these are used as \(partial\) inputs to any hash or other mathematical) A
0 -521.2 M
2.05649042 0 32 0 0 (functions, it MUST be used in lower-case. All hex-fixed-number or hex-integer numbers are also) A
0 -534.4 M
(case-insensitive, and SHOULD be sent in lower-case. ) S
0 -558.6 M
3.14518237 0 32 0 0 (Extensive-tokens are used where the set of acceptable tokens are extensible. Any non-standard) A
0 -571.8 M
1.51523435 0 32 0 0 (extensions of this protocol MUST use the extension-tokens of format "<token>@<domain-name>",) A
0 -585 M
0.152604163 0 32 0 0 (where domain-name is the valid registered \(sub-\)domain name on the Internet owned by the party who) A
0 -598.2 M
(defines extensions. ) S
0 -609.2 M
[/View [/XYZ -4 147.84375 null] /Dest /13 /DEST pdfmark
0 -609.2 M
[/View [/XYZ -4 147.84375 null] /Dest /14 /DEST pdfmark
0 -610.2 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 5 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 6 6
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(3.2.) S
[/View [/XYZ -4 757.0 null] /Dest /127 /DEST pdfmark
( ) S
(Numbers) S
0 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.0100446427 0 32 0 0 (The syntax definitions of integer and hex-integer only allow representations which do not contain extra) A
0 -55.4 M
(leading 0s. ) S
0 -79.6 M
1.35336542 0 32 0 0 (The numbers represented as a hex-fixed-number MUST have even characters \(i.e. multiple of eight) A
0 -92.8 M
0.361049116 0 32 0 0 (bits\). When these are generated from cryptographic values, those SHOULD have the natural length: if) A
0 -106 M
0.372802734 0 32 0 0 (these are generated from a hash function, these lengths SHOULD correspond to the hash size; if these) A
0 -119.2 M
1.42912948 0 32 0 0 (are representing elements of a mathematical group, its lengths SHOULD be the shortest which can) A
0 -132.4 M
0.160888672 0 32 0 0 (represent all elements in the group. See ) A
0.160888672 0 32 0 0 (Appendix\240B) A
[/Rect [176.035156 -135.144531 231.5 -123.044533] /Subtype /Link /Border [0 0 1] /Dest /102 /ANN pdfmark
0.160888672 0 32 0 0 ( for information about the length of the fields used) A
0 -145.6 M
0.863002241 0 32 0 0 (in this specification. Other values such as session-id are represented in any \(even\) length determined) A
0 -158.8 M
2.92773438 0 32 0 0 (by the side who generates it first, and the same length SHALL be used throughout the whole) A
0 -172 M
(communications by both peers. ) S
0 -196.2 M
0.24849759 0 32 0 0 (The numbers represented as a base64-fixed-number SHALL be generated as follows: first, the number) A
0 -209.4 M
0.435997605 0 32 0 0 (is converted to a big-endian octet-string representation. The length of the representation is determined) A
0 -222.6 M
0.598958313 0 32 0 0 (in the same way as above. Then, the string is encoded by ) A
0.598958313 0 32 0 0 (the Base 64 ) A
0.598958313 0 32 0 0 (encoding) A
[/Rect [259.078125 -225.339844 357.257812 -213.239838] /Subtype /Link /Border [0 0 1] /Dest /87 /ANN pdfmark
0.598958313 0 32 0 0 ( [RFC4648], and then) A
0 -235.8 M
(enclosed by two double-quotations. ) S
0 -246.8 M
[/View [/XYZ -4 510.210938 null] /Dest /15 /DEST pdfmark
0 -246.8 M
[/View [/XYZ -4 510.210938 null] /Dest /16 /DEST pdfmark
0 -265.8 M
15 2 Nf
(3.3.) S
[/View [/XYZ -4 509.210938 null] /Dest /128 /DEST pdfmark
( ) S
(Strings) S
0 -290 M
11 0 Nf
1.30198312 0 32 0 0 (All strings outside ASCII or equivalent character sets SHOULD be encoded using ) A
1.30198312 0 32 0 0 (UTF-8 ) A
1.30198312 0 32 0 0 (encoding) A
[/Rect [378.679688 -292.738281 454.984375 -280.638275] /Subtype /Link /Border [0 0 1] /Dest /86 /ANN pdfmark
0 -303.2 M
1.66503906 0 32 0 0 ([RFC3629] of the ) A
1.66503906 0 32 0 0 (ISO 10646-1 character ) A
1.66503906 0 32 0 0 (set) A
[/Rect [84.9453125 -305.9375 207.066406 -293.837494] /Subtype /Link /Border [0 0 1] /Dest /92 /ANN pdfmark
1.66503906 0 32 0 0 ( [ISO.10646-1.1993]. Both peers SHOULD reject any) A
0 -316.4 M
1.64663458 0 32 0 0 (invalid UTF-8 sequences which causes decoding ambiguities \(e.g. containing <"> in the second or) A
0 -329.6 M
0.929947913 0 32 0 0 (later byte of the UTF-8 encoded characters\). To encode character strings, these will first be encoded) A
0 -342.8 M
1.91067708 0 32 0 0 (according to UTF-8 without leading BOM, then all occurrences of characters <"> and "\\" will be) A
0 -356 M
0.108552635 0 32 0 0 (escaped by prepending "\\", and two <">s will be put around the string. If the contents of the strings are) A
0 -369.2 M
(comma-separated values, the commas in the values are also quoted by "\\". ) S
0 -393.4 M
0.377864569 0 32 0 0 (If strings are representing a domain name or URI which contains non-ASCII characters, the host parts) A
0 -406.6 M
1.27584136 0 32 0 0 (SHOULD be encoded using puny-code defined in ) A
1.27584136 0 32 0 0 ([RFC3492]) A
[/Rect [230.585938 -409.332031 282.691406 -397.232025] /Subtype /Link /Border [0 0 1] /Dest /97 /ANN pdfmark
1.27584136 0 32 0 0 ( instead of UTF-8, and SHOULD use) A
0 -419.8 M
(lower-case ASCII characters. ) S
0 -444 M
(For Base64-fixed-numbers, which use the string syntax, see the previous section. ) S
0 -455 M
[/View [/XYZ -4 302.019531 null] /Dest /17 /DEST pdfmark
0 -455 M
[/View [/XYZ -4 302.019531 null] /Dest /18 /DEST pdfmark
0 -474 M
15 2 Nf
(4.) S
[/View [/XYZ -4 301.019531 null] /Dest /129 /DEST pdfmark
( ) S
(Messages) S
0 -498.2 M
11 0 Nf
0.684895813 0 32 0 0 (In this section, formats and requirements of the headers for each message are presented. The allowed) A
0 -511.4 M
3.80932617 0 32 0 0 (type of values for each header field is shown in parenthesis after the key names. The type) A
0 -524.6 M
0.0607910156 0 32 0 0 ("algorithm-determined" means that the acceptable value type for the field is one of the types defined in ) A
0 -537.8 M
(Section\2403) S
[/Rect [-1.0 -540.527344 42.2382812 -528.427368] /Subtype /Link /Border [0 0 1] /Dest /8 /ANN pdfmark
(, and is determined by the value of the "algorithm" field. ) S
0 -562 M
0.707763672 0 32 0 0 (Note: The term "optional" here means that omitting the field is allowed and has specific meanings in) A
0 -575.2 M
(communications \(i.e.\240it is not generally "OPTIONAL" defined in ) S
([RFC2119]) S
[/Rect [287.441406 -577.925781 339.546875 -565.825806] /Subtype /Link /Border [0 0 1] /Dest /83 /ANN pdfmark
(\). ) S
0 -586.2 M
[/View [/XYZ -4 170.824219 null] /Dest /19 /DEST pdfmark
0 -586.2 M
[/View [/XYZ -4 170.824219 null] /Dest /20 /DEST pdfmark
0 -605.2 M
15 2 Nf
(4.1.) S
[/View [/XYZ -4 169.824219 null] /Dest /130 /DEST pdfmark
( ) S
(401-B0) S
0 -629.4 M
11 0 Nf
0.926106751 0 32 0 0 (Every 401-B0 message SHALL be a valid HTTP 401 \(Authentication Required\) message containing) A
0 -642.6 M
1.81217444 0 32 0 0 (one \(and only one: hereafter not explicitly noticed\) "WWW-Authenticate" header of the following) A
0 -655.8 M
(format. ) S
0 -655.8 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 6 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 7 7
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
13.2421875 0 32 0 0 (WWW-Authenticate: Mutual algorithm=xxxx, validation=xxxx, realm="xxxx", stale=0,) A
0 -26.4 M
(version=-draft05 ) S
0 -50.6 M
(The header SHALL contain the fields with the following keys: ) S
11 -74.8 M
(version: ) S
33 -88 M
1.63955963 0 32 0 0 (\(extensive-token\) should be the token "-draft05" in this specification. The behavior when) A
33 -101.2 M
(other values are specified is undefined. ) S
11 -114.4 M
(algorithm: ) S
33 -127.6 M
0.290364593 0 32 0 0 (\(extensive-token\) specifies the authentication algorithm to be used. The value MUST be one) A
33 -140.8 M
4.18326807 0 32 0 0 (of the tokens described in ) A
4.18326807 0 32 0 0 (Section\2408) A
[/Rect [168.65625 -143.542969 211.894531 -131.442963] /Subtype /Link /Border [0 0 1] /Dest /44 /ANN pdfmark
4.18326807 0 32 0 0 (, or the tokens specified in other supplemental) A
33 -154 M
(specification documentations. ) S
11 -167.2 M
(validation: ) S
33 -180.4 M
1.37169468 0 32 0 0 (\(extensive-token\) specifies the method of host validation. The value MUST be one of the) A
33 -193.6 M
1.25994313 0 32 0 0 (tokens described in ) A
1.25994313 0 32 0 0 (Section\24010) A
[/Rect [123.433594 -196.339844 172.171875 -184.239838] /Subtype /Link /Border [0 0 1] /Dest /56 /ANN pdfmark
1.25994313 0 32 0 0 (, or the tokens specified in other supplemental specification) A
33 -206.8 M
(documentations. ) S
11 -220 M
(auth-domain: ) S
33 -233.2 M
1.31463063 0 32 0 0 (\(optional, string\) specifies authentication domain, the set of hosts on which authentication) A
33 -246.4 M
1.13452148 0 32 0 0 (credentials are valid. It MUST be one of the strings described in ) A
1.13452148 0 32 0 0 (Section\2409) A
[/Rect [330.542969 -249.136719 373.78125 -237.036713] /Subtype /Link /Border [0 0 1] /Dest /52 /ANN pdfmark
1.13452148 0 32 0 0 (. If the value is) A
33 -259.6 M
(omitted, it is assumed to be the host part of the requested URI. ) S
11 -272.8 M
(realm: ) S
33 -286 M
0.786057711 0 32 0 0 (\(string\) is a UTF-8 encoded string representing the name of the authentication realm inside) A
33 -299.2 M
(the authentication domain. ) S
11 -312.4 M
(pwd-hash: ) S
33 -325.6 M
3.95667624 0 32 0 0 (\(optional, extensive-token\) specifies the hash algorithm \(referred to by ph\) used for) A
33 -338.8 M
(additionally hashing the password. The valid tokens are ) S
44 -349.4 M
gsave
0 setgray
newpath
44.0 -349.351562 2.75 0 360 arc
closepath
fill
grestore
55 -353 M
(none: ph\(p\) = p ) S
44 -363.6 M
gsave
0 setgray
newpath
44.0 -363.550781 2.75 0 360 arc
closepath
fill
grestore
55 -367.2 M
(md5: ph\(p\) = MD5\(p\) ) S
44 -377.7 M
gsave
0 setgray
newpath
44.0 -377.75 2.75 0 360 arc
closepath
fill
grestore
55 -381.4 M
0.602050781 0 32 0 0 (digest-md5: ph\(p\) = MD5\(username | ":" | realm | ":" | p\), the same value as MD5\(A1\)) A
55 -394.6 M
(for "MD5" algorithm in ) S
([RFC2617]) S
[/Rect [161.324219 -397.328125 213.429688 -385.228119] /Subtype /Link /Border [0 0 1] /Dest /96 /ANN pdfmark
(. ) S
44 -405.1 M
gsave
0 setgray
newpath
44.0 -405.148438 2.75 0 360 arc
closepath
fill
grestore
55 -408.8 M
(sha1: ph\(p\) = ) S
(SHA1\(p\)) S
33 -422 M
(If omitted, the value "none" is assumed. The use of "none" is recommended. ) S
11 -435.2 M
(stale: ) S
33 -448.4 M
(\(token\) MUST be "0". ) S
0 -472.6 M
0.860491097 0 32 0 0 (Any additional fields SHOULD NOT be contained in the header, except those explicitly specified in) A
0 -485.8 M
(supplement specifications of the "authentication algorithm". ) S
0 -510 M
(The algorithm will determine the types and the values for w_A, w_B, o_A and o_B. ) S
0 -521 M
[/View [/XYZ -4 236.027344 null] /Dest /21 /DEST pdfmark
0 -521 M
[/View [/XYZ -4 236.027344 null] /Dest /22 /DEST pdfmark
0 -540 M
%%IncludeResource: font Times-Bold
15 2 Nf
(4.2.) S
[/View [/XYZ -4 235.027344 null] /Dest /131 /DEST pdfmark
( ) S
(401-B0-stale) S
0 -564.2 M
11 0 Nf
0.116268381 0 32 0 0 (A 401-B0-stale message is a variant of 401-B0 message, which means that the client has sent a request) A
0 -577.4 M
(message which is not for any active session. ) S
0 -601.6 M
13.2421875 0 32 0 0 (WWW-Authenticate: Mutual algorithm=xxxx, validation=xxxx, realm="xxxx", stale=1,) A
0 -614.8 M
(version=-draft05 ) S
0 -639 M
(The header MUST contain the same fields as in 401-B0, except that stale field holds the integer 1. ) S
0 -639 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 7 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 8 8
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /23 /DEST pdfmark
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /24 /DEST pdfmark
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(4.3.) S
[/View [/XYZ -4 757.0 null] /Dest /132 /DEST pdfmark
( ) S
(req-A1) S
0 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.285456717 0 32 0 0 (Every req-A1 message SHALL be a valid HTTP request message containing a "Authorization" header) A
0 -55.4 M
(of the following format. ) S
0 -79.6 M
4.32682276 0 32 0 0 (Authorization: Mutual algorithm=xxxx, validation=xxxx, realm="xxxx", user="xxxx", wa=xxxx,) A
0 -92.8 M
(version=-draft05 ) S
0 -117 M
(The header SHALL contain the fields with the following keys: ) S
11 -141.2 M
(version: ) S
33 -154.4 M
1.63955963 0 32 0 0 (\(extensive-token\) should be the token "-draft05" in this specification. The behavior when) A
33 -167.6 M
(other values are specified is undefined. ) S
11 -180.8 M
(algorithm, validation, auth-domain, realm: ) S
33 -194 M
(MUST be the same value as it is received from S. ) S
11 -207.2 M
(user: ) S
33 -220.4 M
(\(string\) is the UTF-8 encoded name of the user. ) S
11 -233.6 M
(wa: ) S
33 -246.8 M
(\(algorithm-determined\) is the value of w_A specified by the used algorithm. ) S
0 -257.8 M
[/View [/XYZ -4 499.210938 null] /Dest /25 /DEST pdfmark
0 -257.8 M
[/View [/XYZ -4 499.210938 null] /Dest /26 /DEST pdfmark
0 -276.8 M
15 2 Nf
(4.4.) S
[/View [/XYZ -4 498.210938 null] /Dest /133 /DEST pdfmark
( ) S
(401-B1) S
0 -301 M
11 0 Nf
0.267728359 0 32 0 0 (Every 401-B1 message SHALL be a valid HTTP 401 \(Authentication Required\) message containing a) A
0 -314.2 M
("WWW-Authenticate" header of the following format. ) S
0 -338.4 M
1.6477865 0 32 0 0 (WWW-Authenticate: Mutual algorithm=xxxx, validation=xxxx, realm="xxxx", sid=xxxx, wb=xxxx,) A
0 -351.6 M
(nc-max=x, nc-window=x, time=x, path="xxxx", version=-draft05 ) S
0 -375.8 M
(The header SHALL contain the fields with the following keys: ) S
11 -400 M
(version: ) S
33 -413.2 M
1.63955963 0 32 0 0 (\(extensive-token\) should be the token "-draft05" in this specification. The behavior when) A
33 -426.4 M
(other values are specified is undefined. ) S
11 -439.6 M
(algorithm, validation, auth-domain, realm: ) S
33 -452.8 M
(MUST be the same value as it is received from C. ) S
11 -466 M
(sid: ) S
33 -479.2 M
1.39483178 0 32 0 0 (\(hex-fixed-number\) MUST be a session id, which is a random integer. The sid SHOULD) A
33 -492.4 M
2.19056916 0 32 0 0 (have uniqueness of at least 80 bits or the square of the maximal estimated transactions) A
33 -505.6 M
2.8548677 0 32 0 0 (concurrently available in the session table, whichever is larger. Sids are local to each) A
33 -518.8 M
0.687890649 0 32 0 0 (authentication realm concerned: the same sids for different authentication realms SHOULD) A
33 -532 M
(be treated as independent ones. ) S
11 -545.2 M
(wb: ) S
33 -558.4 M
(\(algorithm-determined\) is the value of w_B specified by the algorithm. ) S
11 -571.6 M
(nc-max: ) S
33 -584.8 M
(\(hex-integer\) is the maximal value of nonce counts which S accepts. ) S
11 -598 M
(nc-window: ) S
33 -611.2 M
3.34735584 0 32 0 0 (\(hex-integer\) the number of available nonce slots which S will accept. The value of) A
33 -624.4 M
(nc-window is RECOMMENDED to be thirty-two \("20" in hex-integer\) or more. ) S
11 -637.6 M
(time: ) S
33 -650.8 M
4.1350913 0 32 0 0 (\(integer\) represents the suggested time \(in seconds\) which C can reuse the session) A
33 -664 M
1.02964151 0 32 0 0 (represented by sid. It is RECOMMENDED to be at least 60. The value of this field is not) A
33 -664 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 8 -) S
0 setgray
66 -8 M
grestore
pgsave restore N
%%Page: 9 9
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
33 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(directly linked to the duration that S keeps track of the session represented by sid. ) S
11 -26.4 M
11 0 Nf
(path: ) S
33 -39.6 M
2.68840146 0 32 0 0 (\(optional, string\) specifies for which path in the URI space the same authentication is) A
33 -52.8 M
1.1206342 0 32 0 0 (expected to apply. The value is in the same format as it is specified in ) A
1.1206342 0 32 0 0 ([RFC2617]) A
[/Rect [357.84375 -55.546875 409.949219 -43.4468765] /Subtype /Link /Border [0 0 1] /Dest /96 /ANN pdfmark
1.1206342 0 32 0 0 ( for the) A
33 -66 M
2.759233 0 32 0 0 (Digest authentications, and clients are RECOMMENDED to recognize it. The all path) A
33 -79.2 M
1.79447114 0 32 0 0 (elements contained in the field MUST be inside the specified auth-domain: if not, client) A
33 -92.4 M
(SHOULD ignore such elements. ) S
0 -103.4 M
[/View [/XYZ -4 653.605469 null] /Dest /27 /DEST pdfmark
0 -103.4 M
[/View [/XYZ -4 653.605469 null] /Dest /28 /DEST pdfmark
0 -122.4 M
%%IncludeResource: font Times-Bold
15 2 Nf
(4.5.) S
[/View [/XYZ -4 652.605469 null] /Dest /134 /DEST pdfmark
( ) S
(req-A3) S
0 -146.6 M
11 0 Nf
0.285456717 0 32 0 0 (Every req-A3 message SHALL be a valid HTTP request message containing a "Authorization" header) A
0 -159.8 M
(of the following format. ) S
0 -184 M
2.18191957 0 32 0 0 (Authorization: Mutual algorithm=xxxx, validation=xxxx, realm="xxxx", sid=xxxx, nc=x, oa=xxxx,) A
0 -197.2 M
(version=-draft05 ) S
0 -221.4 M
(The fields contained in the header are as follows: ) S
11 -245.6 M
(version: ) S
33 -258.8 M
1.63955963 0 32 0 0 (\(extensive-token\) should be the token "-draft05" in this specification. The behavior when) A
33 -272 M
(other values are specified is undefined. ) S
11 -285.2 M
(algorithm, validation, auth-domain, realm: ) S
33 -298.4 M
(MUST be the same value as it is received from S for the session. ) S
11 -311.6 M
(sid: ) S
33 -324.8 M
0.559375 0 32 0 0 (\(hex-fixed-number\) MUST be one of the sid values which has been received from S for the) A
33 -338 M
(same authentication realm. ) S
11 -351.2 M
(nc: ) S
33 -364.4 M
0.293229163 0 32 0 0 (\(hex-integer\) is a nonce value which is unique among the requests sharing the same sid. The) A
33 -377.6 M
(value of nc SHOULD satisfy the following properties: ) S
44 -388.2 M
gsave
0 setgray
newpath
44.0 -388.152344 2.75 0 360 arc
closepath
fill
grestore
55 -391.8 M
2.48828125 0 32 0 0 (It is not larger than the nc-max value which has been sent from S in the session) A
55 -405 M
(represented by the sid. ) S
44 -415.6 M
gsave
0 setgray
newpath
44.0 -415.550781 2.75 0 360 arc
closepath
fill
grestore
55 -419.2 M
(C have not sent the same value in the same session. ) S
44 -429.7 M
gsave
0 setgray
newpath
44.0 -429.75 2.75 0 360 arc
closepath
fill
grestore
55 -433.4 M
0.0764508918 0 32 0 0 (It is not smaller than \(largest-nc - nc-window\), where largest-nc is the maximal value of) A
55 -446.6 M
1.39036453 0 32 0 0 (nc which has previously been sent in the session, and nc-window is the value of the) A
55 -459.8 M
(nc-window field which has been sent from S in the ) S
(session.) S
11 -473 M
(oa: ) S
33 -486.2 M
(\(algorithm-determined\) is the value of o_A specified by the algorithm. ) S
0 -497.2 M
[/View [/XYZ -4 259.824219 null] /Dest /29 /DEST pdfmark
0 -497.2 M
[/View [/XYZ -4 259.824219 null] /Dest /30 /DEST pdfmark
0 -516.2 M
15 2 Nf
(4.6.) S
[/View [/XYZ -4 258.824219 null] /Dest /135 /DEST pdfmark
( ) S
(200-B4) S
0 -540.4 M
11 0 Nf
0.269810259 0 32 0 0 (Every 200-B1 message SHALL be a valid HTTP message which is not 401 \(Authentication Required\)) A
0 -553.6 M
(type, containing an "Authentication-Info" header of the following format. ) S
0 -577.8 M
(Authentication-Info: Mutual sid=xxxx, ob=xxxx, version=-draft05 ) S
0 -602 M
(The fields contained in the header are as follows: ) S
11 -626.2 M
(version: ) S
33 -639.4 M
1.63955963 0 32 0 0 (\(extensive-token\) should be the token "-draft05" in this specification. The behavior when) A
33 -652.6 M
(other values are specified is undefined. ) S
33 -652.6 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 9 -) S
0 setgray
22 -8 M
grestore
pgsave restore N
%%Page: 10 10
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(sid: ) S
33 -26.4 M
(\(hex-fixed-number\) MUST be the value received from C. ) S
11 -39.6 M
(ob: ) S
33 -52.8 M
(\(algorithm-determined\) is the value of o_B specified by the algorithm. ) S
11 -66 M
(logout-timeout: ) S
33 -79.2 M
0.294642866 0 32 0 0 (\(optional, integer\) is a number of seconds after which the client should re-validate the user's) A
33 -92.4 M
0.641666651 0 32 0 0 (password for the current authentication realm. As a special case, the value 0 means that the) A
33 -105.6 M
0.196875 0 32 0 0 (client SHOULD automatically forget the user-inputed password to the current authentication) A
33 -118.8 M
2.17897725 0 32 0 0 (realm and revert to the unauthenticated state \(i.e.\240server-initiated logout\). This does not,) A
33 -132 M
0.444335938 0 32 0 0 (however, mean that the long-term memories for the passwords \(such as password reminders) A
33 -145.2 M
1.66967773 0 32 0 0 (and auto fill-ins\) should be removed. If a new value of timeout is received for the same) A
33 -158.4 M
(authentication realm, it overrides the previous timeout. ) S
0 -169.4 M
[/View [/XYZ -4 587.609375 null] /Dest /31 /DEST pdfmark
0 -169.4 M
[/View [/XYZ -4 587.609375 null] /Dest /32 /DEST pdfmark
0 -188.4 M
%%IncludeResource: font Times-Bold
15 2 Nf
(5.) S
[/View [/XYZ -4 586.609375 null] /Dest /136 /DEST pdfmark
( Decision procedure for the ) S
(client) S
0 -212.6 M
11 0 Nf
2.87980771 0 32 0 0 (To securely implement the protocol, the user client must be careful for accepting authenticated) A
0 -225.8 M
(responses from the server. ) S
0 -250 M
2.376302 0 32 0 0 (Clients SHOULD implement the decision procedure equivalent to the one shown below. \(Unless) A
0 -263.2 M
0.0852050781 0 32 0 0 (implementers understand what is required for the security, they should not alter this.\) The labels on the) A
0 -276.4 M
(steps are for informational purpose only. ) S
11 -300.6 M
(Step 1 \(step_new_request\): ) S
33 -313.8 M
2.3742187 0 32 0 0 (If the client software needs to get a new Web resource, check whether the resource is) A
33 -327 M
5.30598974 0 32 0 0 (expected to be inside some authentication realm for which the user has already) A
33 -340.2 M
(authenticated. If yes, go to Step 2. Otherwise, go to Step 5. ) S
11 -353.4 M
(Step 2: ) S
33 -366.6 M
0.988020837 0 32 0 0 (Check whether there is an available sid for the authentication realm you expect. If there is) A
33 -379.8 M
(one, go to Step 3. Otherwise, go to Step 4. ) S
11 -393 M
(Step 3 \(step_send_a3_1\): ) S
33 -406.2 M
(Send a req-A3 request. ) S
44 -416.7 M
gsave
0 setgray
newpath
44.0 -416.75 2.75 0 360 arc
closepath
fill
grestore
55 -420.4 M
0.011117788 0 32 0 0 (If you receive a 401-B0 message with a different authentication realm than expected, go) A
55 -433.6 M
(to Step 6. ) S
44 -444.1 M
gsave
0 setgray
newpath
44.0 -444.148438 2.75 0 360 arc
closepath
fill
grestore
55 -447.8 M
(If you receive a 401-B0-stale message, go to Step 9. ) S
44 -458.3 M
gsave
0 setgray
newpath
44.0 -458.347656 2.75 0 360 arc
closepath
fill
grestore
55 -462 M
(If you receive a 401-B0 message, go to Step 13. ) S
44 -472.5 M
gsave
0 setgray
newpath
44.0 -472.546875 2.75 0 360 arc
closepath
fill
grestore
55 -476.2 M
(If you receive a 200-B4 message, go to Step 14. ) S
44 -486.7 M
gsave
0 setgray
newpath
44.0 -486.746094 2.75 0 360 arc
closepath
fill
grestore
55 -490.4 M
(If you receive a normal response \(without Mutual-specific headers\), go to Step ) S
(11.) S
11 -503.6 M
(Step 4 \(step_send_a1_1\): ) S
33 -516.8 M
(Send a req-A1 request. ) S
44 -527.3 M
gsave
0 setgray
newpath
44.0 -527.34375 2.75 0 360 arc
closepath
fill
grestore
55 -531 M
0.011117788 0 32 0 0 (If you receive a 401-B0 message with a different authentication realm than expected, go) A
55 -544.2 M
(to Step 6. ) S
44 -554.7 M
gsave
0 setgray
newpath
44.0 -554.742188 2.75 0 360 arc
closepath
fill
grestore
55 -558.4 M
(If you receive a 401-B1 message, go to Step 10. ) S
44 -568.9 M
gsave
0 setgray
newpath
44.0 -568.941406 2.75 0 360 arc
closepath
fill
grestore
55 -572.6 M
(If you receive a normal response \(without Mutual-specific headers\), go to Step ) S
(11.) S
11 -585.8 M
(Step 5 \(step_send_normal_1\): ) S
33 -599 M
(Send a request without any authentication headers. ) S
44 -609.5 M
gsave
0 setgray
newpath
44.0 -609.539062 2.75 0 360 arc
closepath
fill
grestore
55 -613.2 M
(If you receive a 401-B0 message, go to Step 6. ) S
44 -623.7 M
gsave
0 setgray
newpath
44.0 -623.738281 2.75 0 360 arc
closepath
fill
grestore
55 -627.4 M
(If you receive a normal response \(without Mutual-specific headers\), go to Step ) S
(11.) S
11 -640.6 M
(Step 6 \(step_rcvd_b0\): ) S
33 -653.8 M
0.41015625 0 32 0 0 (Check whether you know the user's password for the requested authentication realm. If yes,) A
33 -667 M
(go to Step 7. Otherwise, go to Step 12. ) S
33 -667 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 10 -) S
0 setgray
22 -8 M
grestore
pgsave restore N
%%Page: 11 11
%%PageResources: font Times-Roman Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(Step 7: ) S
33 -26.4 M
0.702864587 0 32 0 0 (Check whether there is an available sid for the authentication realm you expects. If there is) A
33 -39.6 M
(one, go to Step 8. Otherwise, go to Step 9. ) S
11 -52.8 M
(Step 8 \(step_send_a3\): ) S
33 -66 M
(Send a req-A3 request. ) S
44 -76.6 M
gsave
0 setgray
newpath
44.0 -76.5664062 2.75 0 360 arc
closepath
fill
grestore
55 -80.2 M
(If you receive a 401-B0-stale message, go to Step 9. ) S
44 -90.8 M
gsave
0 setgray
newpath
44.0 -90.765625 2.75 0 360 arc
closepath
fill
grestore
55 -94.4 M
(If you receive a 401-B0 message, go to Step 13. ) S
44 -105 M
gsave
0 setgray
newpath
44.0 -104.964844 2.75 0 360 arc
closepath
fill
grestore
55 -108.6 M
(If you receive a 200-B4 message, go to Step ) S
(14.) S
11 -121.8 M
(Step 9 \(step_send_a1\): ) S
33 -135 M
(Send a req-A1 request. ) S
44 -145.6 M
gsave
0 setgray
newpath
44.0 -145.5625 2.75 0 360 arc
closepath
fill
grestore
55 -149.2 M
(If you receive a 401-B1 message, go to Step ) S
(10.) S
11 -162.4 M
(Step 10 \(step_rcvd_b1\): ) S
33 -175.6 M
(Send a req-A3 request. ) S
44 -186.2 M
gsave
0 setgray
newpath
44.0 -186.160156 2.75 0 360 arc
closepath
fill
grestore
55 -189.8 M
(If you receive a 401-B0 message, go to Step 13. ) S
44 -200.4 M
gsave
0 setgray
newpath
44.0 -200.359375 2.75 0 360 arc
closepath
fill
grestore
55 -204 M
(If you receive a 200-B4 message, go to Step ) S
(14.) S
11 -217.2 M
(Step 11 \(step_rcvd_normal\): ) S
33 -230.4 M
0.703125 0 32 0 0 (This case means that the resource requested is out of the authenticated area. The client will) A
33 -243.6 M
(be in the "UNAUTHENTICATED" status. ) S
11 -256.8 M
(Step 12 \(step_rcvd_b0_unknown\): ) S
33 -270 M
0.857271612 0 32 0 0 (This case means that the resource requested requires Mutual authentication, and the user is) A
33 -283.2 M
5.05220175 0 32 0 0 (not authenticated yet. The client will be in the "AUTH_REQUESTED" status, is) A
33 -296.4 M
0.488839298 0 32 0 0 (RECOMMENDED to process the content sent from the server and ask user a username and) A
33 -309.6 M
(password. If the user has input those, go to Step 9. ) S
11 -322.8 M
(Step 13 \(step_rcvd_b0_failed\): ) S
33 -336 M
0.706473231 0 32 0 0 (This case means that in some reason the authentication failed: possibly the password or the) A
33 -349.2 M
5.899858 0 32 0 0 (username is invalid for the authenticated resource. Forget the password for the) A
33 -362.4 M
(authentication realm and go to Step 12. ) S
11 -375.6 M
(Step 14 \(step_rcvd_b4\): ) S
33 -388.8 M
1.10340071 0 32 0 0 (Check the validity of the received o_b value. If it is equal to the expected value, it means) A
33 -402 M
6.65332031 0 32 0 0 (that the mutual authentication has been succeeded. The client will be in the) A
33 -415.2 M
("AUTH_SUCCEEDED" status. ) S
33 -428.4 M
(If the value is unexpected, it is a fatal communication error. ) S
33 -441.6 M
1.23255205 0 32 0 0 (If a user requests to log out explicitly \(via user interfaces\), the client MUST forget user's) A
33 -454.8 M
(password, go to step 5 and reload the current resource without authentication credential. ) S
0 -479 M
3.1953125 0 32 0 0 (Any other kind of responses than shown in above procedure SHOULD be interpreted as fatal) A
0 -492.2 M
0.417187512 0 32 0 0 (communication error, and in such cases user clients MUST NOT process any data \(contents and other) A
0 -505.4 M
(content-related headers\) sent from the server. ) S
0 -529.6 M
(The client software SHOULD display the three client status to the end-user. ) S
0 -553.8 M
(Figure\2402) S
[/Rect [-1.0 -556.519531 37.9609375 -544.419556] /Subtype /Link /Border [0 0 1] /Dest /33 /ANN pdfmark
( shows the full client-side state diagram. ) S
0 -564.8 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -575.8 M
[/View [/XYZ -4 181.230469 null] /Dest /33 /DEST pdfmark
0 -575.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 11 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 12 12
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -394 M
gsave
0.0 -394.0 translate
/IS 1 D
save
0 0 M
IS IS scale
/showpage {}D
-71 -427 translate
/tgifdict 53 dict def
tgifdict begin
/tgifarrowtipdict 8 dict def
tgifarrowtipdict /mtrx matrix put
/TGAT % tgifarrowtip
{ tgifarrowtipdict begin
/dy exch def
/dx exch def
/h exch def
/w exch def
/y exch def
/x exch def
/savematrix mtrx currentmatrix def
x y translate
dy dx atan rotate
0 0 moveto
w neg h lineto
w neg h neg lineto
savematrix setmatrix
end
} def
/TGMAX
{ exch dup 3 1 roll exch dup 3 1 roll gt { pop } { exch pop } ifelse
} def
/TGMIN
{ exch dup 3 1 roll exch dup 3 1 roll lt { pop } { exch pop } ifelse
} def
/TGSW { stringwidth pop } def
/bd { bind def } bind def
/GS { gsave } bd
/GR { grestore } bd
/NP { newpath } bd
/CP { closepath } bd
/CHP { charpath } bd
/CT { curveto } bd
/L { lineto } bd
/RL { rlineto } bd
/M { moveto } bd
/RM { rmoveto } bd
/S { stroke } bd
/F { fill } bd
/TR { translate } bd
/RO { rotate } bd
/SC { scale } bd
/MU { mul } bd
/DI { div } bd
/DU { dup } bd
/NE { neg } bd
/AD { add } bd
/SU { sub } bd
/PO { pop } bd
/EX { exch } bd
/CO { concat } bd
/CL { clip } bd
/EC { eoclip } bd
/EF { eofill } bd
/IM { image } bd
/IMM { imagemask } bd
/ARY { array } bd
/SG { setgray } bd
/RG { setrgbcolor } bd
/SD { setdash } bd
/W { setlinewidth } bd
/SM { setmiterlimit } bd
/SLC { setlinecap } bd
/SLJ { setlinejoin } bd
/SH { show } bd
/FF { findfont } bd
/MS { makefont setfont } bd
/AR { arcto 4 {pop} repeat } bd
/CURP { currentpoint } bd
/FLAT { flattenpath strokepath clip newpath } bd
/TGSM { tgiforigctm setmatrix } def
/TGRM { savematrix setmatrix } def
end
tgifdict begin
/tgifsavedpage save def
1 SM
1 W
0 SG
72 0 MU 72 11.602 MU TR
72 128 DI 100.000 MU 100 DI DU NE SC
GS
/tgiforigctm matrix currentmatrix def
NP
0 SG
GS
1 W
250 45 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NEW REQUEST) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NEW REQUEST) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
NP
250 95 M
180 125 L
250 155 L
320 125 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
250 120 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(the requested URI) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(the requested URI) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(known to be authed?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(known to be authed?) SH
GR
GR
0 SG
GS
NP
250 50 M
45 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 95 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 95 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
250 95 8.000 3.000 0 45 TGAT
CP F
GR
0 SG
GS
GS
NP
684 100 M
700 100 700 150 16 AR
700 134 L
700 150 600 150 16 AR
616 150 L
600 150 600 100 16 AR
600 116 L
600 100 700 100 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
650 120 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(normal request) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(normal request) SH
GR
GR
0 SG
GS
NP
600 105 M
-35 -55 atan DU cos 8.000 MU 545 exch SU
exch sin 8.000 MU 70 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
545 70 8.000 3.000 -55 -35 TGAT
1 SG CP F
0 SG
NP
545 70 8.000 3.000 -55 -35 TGAT
CP F
GR
NP
0 SG
GS
1 W
480 75 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
320 125 M
0 280 atan DU cos 8.000 MU 600 exch SU
exch sin 8.000 MU 125 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
600 125 8.000 3.000 280 0 TGAT
1 SG CP F
0 SG
NP
600 125 8.000 3.000 280 0 TGAT
CP F
GR
NP
0 SG
GS
1 W
540 100 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal-res.) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal-res.) SH
GR
GR
0 SG
NP
650 195 M
580 225 L
650 255 L
720 225 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
650 220 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(user/pass) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(user/pass) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(known?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(known?) SH
GR
GR
0 SG
GS
NP
650 150 M
45 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 195 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 195 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
650 195 8.000 3.000 0 45 TGAT
CP F
GR
NP
0 SG
GS
1 W
660 165 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B0) SH
GR
0 15 RM
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-optional-B0) SH
GR
GR
0 SG
GS
NP
590 230 M
25 -55 atan DU cos 8.000 MU 535 exch SU
exch sin 8.000 MU 255 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
535 255 8.000 3.000 -55 25 TGAT
1 SG CP F
0 SG
NP
535 255 8.000 3.000 -55 25 TGAT
CP F
GR
NP
0 SG
GS
1 W
475 260 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
NP
0 SG
GS
1 W
550 230 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
NP
0 SG
GS
1 W
350 115 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
0 SG
NP
250 295 M
180 325 L
250 355 L
320 325 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
250 320 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) SH
GR
GR
0 SG
GS
NP
250 155 M
140 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 295 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 295 8.000 3.000 0 140 TGAT
1 SG CP F
0 SG
NP
250 295 8.000 3.000 0 140 TGAT
CP F
GR
0 SG
GS
GS
NP
284 400 M
300 400 300 450 16 AR
300 434 L
300 450 200 450 16 AR
216 450 L
200 450 200 400 16 AR
200 416 L
200 400 300 400 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
250 420 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) SH
GR
GR
0 SG
GS
NP
250 355 M
45 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 400 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 400 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
250 400 8.000 3.000 0 45 TGAT
CP F
GR
NP
0 SG
GS
1 W
190 715 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
200 430 M
180 480 L
215 0 atan DU cos 8.000 MU 180 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
180 695 8.000 3.000 0 215 TGAT
1 SG CP F
0 SG
NP
180 695 8.000 3.000 0 215 TGAT
CP F
GR
NP
0 SG
GS
1 W
215 640 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal-res.) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal-res.) SH
GR
GR
0 SG
GS
NP
300 425 M
0 90 atan DU cos 8.000 MU 390 exch SU
exch sin 8.000 MU 425 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
390 425 8.000 3.000 90 0 TGAT
1 SG CP F
0 SG
NP
390 425 8.000 3.000 90 0 TGAT
CP F
GR
NP
0 SG
GS
1 W
340 415 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B0) SH
GR
GR
NP
0 SG
GS
1 W
450 430 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) TGSW
AD
/Times-Roman FF [12 0 0 -12 0 0] MS
(:) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(:) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(forget user/pass) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(forget user/pass) SH
GR
GR
0 SG
GS
NP
180 325 M
180 460 L
250 480 L
20 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 500 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 500 8.000 3.000 0 20 TGAT
1 SG CP F
0 SG
NP
250 500 8.000 3.000 0 20 TGAT
CP F
GR
0 SG
GS
GS
NP
284 500 M
300 500 300 550 16 AR
300 534 L
300 550 200 550 16 AR
216 550 L
200 550 200 500 16 AR
200 516 L
200 500 300 500 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
250 520 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A1) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A1) SH
GR
GR
NP
0 SG
GS
1 W
165 345 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
0 SG
GS
NP
200 525 M
180 555 L
140 0 atan DU cos 8.000 MU 180 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
180 695 8.000 3.000 0 140 TGAT
1 SG CP F
0 SG
NP
180 695 8.000 3.000 0 140 TGAT
CP F
GR
0 SG
GS
NP
450 600 M
-150 0 atan DU cos 8.000 MU 450 exch SU
exch sin 8.000 MU 450 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
450 450 8.000 3.000 0 -150 TGAT
1 SG CP F
0 SG
NP
450 450 8.000 3.000 0 -150 TGAT
CP F
GR
NP
0 SG
GS
1 W
460 580 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B0) SH
GR
GR
NP
0 SG
GS
1 W
450 720 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_SUCCEED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_SUCCEED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
250 550 M
80 150 atan DU cos 8.000 MU 400 exch SU
exch sin 8.000 MU 630 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
400 630 8.000 3.000 150 80 TGAT
1 SG CP F
0 SG
NP
400 630 8.000 3.000 150 80 TGAT
CP F
GR
0 SG
GS
NP
295 445 M
250 105 atan DU cos 8.000 MU 400 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
400 695 8.000 3.000 105 250 TGAT
1 SG CP F
0 SG
NP
400 695 8.000 3.000 105 250 TGAT
CP F
GR
NP
0 SG
GS
1 W
350 552 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-B4) SH
GR
GR
NP
0 SG
GS
1 W
250 585 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B1) SH
GR
GR
0 SG
GS
GS
NP
484 600 M
500 600 500 650 16 AR
500 634 L
500 650 400 650 16 AR
416 650 L
400 650 400 600 16 AR
400 616 L
400 600 500 600 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
450 620 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) SH
GR
GR
NP
0 SG
GS
1 W
455 682 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-B4) SH
GR
GR
0 SG
GS
NP
450 650 M
45 0 atan DU cos 8.000 MU 450 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
450 695 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
450 695 8.000 3.000 0 45 TGAT
CP F
GR
0 SG
NP
650 295 M
580 325 L
650 355 L
720 325 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
650 320 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) SH
GR
GR
0 SG
GS
GS
NP
684 400 M
700 400 700 450 16 AR
700 434 L
700 450 600 450 16 AR
616 450 L
600 450 600 400 16 AR
600 416 L
600 400 700 400 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
650 420 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) SH
GR
GR
0 SG
GS
NP
650 355 M
45 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 400 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 400 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
650 400 8.000 3.000 0 45 TGAT
CP F
GR
0 SG
GS
GS
NP
684 500 M
700 500 700 550 16 AR
700 534 L
700 550 600 550 16 AR
616 550 L
600 550 600 500 16 AR
600 516 L
600 500 700 500 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
650 520 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A1) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A1) SH
GR
GR
0 SG
GS
NP
650 255 M
40 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 295 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 295 8.000 3.000 0 40 TGAT
1 SG CP F
0 SG
NP
650 295 8.000 3.000 0 40 TGAT
CP F
GR
NP
0 SG
GS
1 W
520 415 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B0) SH
GR
GR
0 SG
GS
NP
600 425 M
0 -90 atan DU cos 8.000 MU 510 exch SU
exch sin 8.000 MU 425 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
510 425 8.000 3.000 -90 0 TGAT
1 SG CP F
0 SG
NP
510 425 8.000 3.000 -90 0 TGAT
CP F
GR
0 SG
GS
NP
720 325 M
720 465 L
650 480 L
20 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 500 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 500 8.000 3.000 0 20 TGAT
1 SG CP F
0 SG
NP
650 500 8.000 3.000 0 20 TGAT
CP F
GR
NP
0 SG
GS
1 W
625 580 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B1) SH
GR
GR
0 SG
GS
NP
650 550 M
75 -150 atan DU cos 8.000 MU 500 exch SU
exch sin 8.000 MU 625 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
500 625 8.000 3.000 -150 75 TGAT
1 SG CP F
0 SG
NP
500 625 8.000 3.000 -150 75 TGAT
CP F
GR
0 SG
GS
NP
605 445 M
250 -105 atan DU cos 8.000 MU 500 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
500 695 8.000 3.000 -105 250 TGAT
1 SG CP F
0 SG
NP
500 695 8.000 3.000 -105 250 TGAT
CP F
GR
NP
0 SG
GS
1 W
520 552 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-B4) SH
GR
GR
0 SG
GS
NP
300 440 M
65 305 atan DU cos 8.000 MU 605 exch SU
exch sin 8.000 MU 505 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
605 505 8.000 3.000 305 65 TGAT
1 SG CP F
0 SG
NP
605 505 8.000 3.000 305 65 TGAT
CP F
GR
0 SG
GS
NP
625 450 M
50 0 atan DU cos 8.000 MU 625 exch SU
exch sin 8.000 MU 500 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
625 500 8.000 3.000 0 50 TGAT
1 SG CP F
0 SG
NP
625 500 8.000 3.000 0 50 TGAT
CP F
GR
NP
0 SG
GS
1 W
360 480 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B0-stale) SH
GR
GR
NP
0 SG
GS
1 W
630 465 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B0-stale) SH
GR
GR
NP
0 SG
GS
1 W
735 345 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
NP
0 SG
GS
1 W
670 280 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
235 170 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
265 370 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
635 375 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
775 45 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(USER/PASS INPUTED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(USER/PASS INPUTED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
780 50 M
780 470 L
35 -85 atan DU cos 8.000 MU 695 exch SU
exch sin 8.000 MU 505 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
695 505 8.000 3.000 -85 35 TGAT
1 SG CP F
0 SG
NP
695 505 8.000 3.000 -85 35 TGAT
CP F
GR
0 SG
GS
NP
295 405 M
330 355 L
330 180 L
0 320 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 180 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 180 8.000 3.000 320 0 TGAT
1 SG CP F
0 SG
NP
650 180 8.000 3.000 320 0 TGAT
CP F
GR
NP
0 SG
GS
1 W
345 160 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B0, 200-optional-B0) SH
GR
0 15 RM
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
( with different realm ) SH
GR
GR
0 SG
GS
NP
295 505 M
330 460 L
330 355 L
TGSM
1 W
S
GR
NP
0 SG
GS
1 W
195 105 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(1\)) SH
GR
GR
NP
0 SG
GS
1 W
200 325 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(2\)) SH
GR
GR
NP
0 SG
GS
1 W
210 415 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(3\)) SH
GR
GR
NP
0 SG
GS
1 W
210 515 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(4\)) SH
GR
GR
NP
0 SG
GS
1 W
610 115 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(5\)) SH
GR
GR
NP
0 SG
GS
1 W
605 330 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(7\)) SH
GR
GR
NP
0 SG
GS
1 W
610 415 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(8\)) SH
GR
GR
NP
0 SG
GS
1 W
610 515 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(9\)) SH
GR
GR
NP
0 SG
GS
1 W
600 230 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(6\)) SH
GR
GR
NP
0 SG
GS
1 W
390 75 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(11\)) SH
GR
GR
NP
0 SG
GS
1 W
130 695 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(11\)) SH
GR
GR
NP
0 SG
GS
1 W
415 240 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(12\)) SH
GR
GR
NP
0 SG
GS
1 W
395 410 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(13\)) SH
GR
GR
NP
0 SG
GS
1 W
410 615 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(10\)) SH
GR
GR
NP
0 SG
GS
1 W
410 700 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(14\)) SH
GR
GR
GR
tgifsavedpage restore
end
showpage
restore
grestore
400.0 0.0 RM
169 -416.9 M
%%IncludeResource: font Times-Bold
7.63889 2 Nf
(\240Figure\2402: State diagram for ) S
(clients\240) S
0 -430.8 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -441.8 M
[/View [/XYZ -4 315.160156 null] /Dest /34 /DEST pdfmark
0 -441.8 M
[/View [/XYZ -4 315.160156 null] /Dest /35 /DEST pdfmark
0 -460.8 M
15 2 Nf
(6.) S
[/View [/XYZ -4 314.160156 null] /Dest /137 /DEST pdfmark
( Decision procedure for the ) S
(server) S
0 -485 M
%%IncludeResource: font Times-Roman
11 0 Nf
(Servers SHOULD respond to the client requests according to the following procedure: ) S
11 -505.6 M
gsave
0 setgray
newpath
11.0 -505.609375 2.75 0 360 arc
closepath
fill
grestore
22 -509.2 M
(When the server receives a normal request: ) S
33 -519.8 M
gsave
0 setgray
newpath
33.0 -519.808594 2.75 0 360 arc
closepath
stroke
grestore
44 -523.4 M
2.40655041 0 32 0 0 (If the requested resource is not protected by the Mutual Authentication, send a normal) A
44 -536.6 M
(response. ) S
33 -547.2 M
gsave
0 setgray
newpath
33.0 -547.207031 2.75 0 360 arc
closepath
stroke
grestore
44 -550.8 M
(If the resource is protected by the Mutual Authentication, send a 401-B0 response. ) S
33 -561.4 M
gsave
0 setgray
newpath
33.0 -561.40625 2.75 0 360 arc
closepath
stroke
grestore
44 -565 M
2.40299487 0 32 0 0 (If the resource is protected by the Optional Mutual Authentication ) A
2.40299487 0 32 0 0 (\() A
2.40299487 0 32 0 0 (Section\24012) A
[/Rect [364.496094 -567.785156 413.234375 -555.685181] /Subtype /Link /Border [0 0 1] /Dest /60 /ANN pdfmark
2.40299487 0 32 0 0 (\), send a) A
44 -578.2 M
(200-Optional-B0 ) S
(response.) S
11 -588.8 M
gsave
0 setgray
newpath
11.0 -588.804688 2.75 0 360 arc
closepath
fill
grestore
22 -592.4 M
(When the server receives a req-A1 request: ) S
33 -603 M
gsave
0 setgray
newpath
33.0 -603.003906 2.75 0 360 arc
closepath
stroke
grestore
44 -606.6 M
2.40655041 0 32 0 0 (If the requested resource is not protected by the Mutual Authentication, send a normal) A
44 -619.8 M
(response. ) S
33 -630.4 M
gsave
0 setgray
newpath
33.0 -630.402344 2.75 0 360 arc
closepath
stroke
grestore
44 -634 M
1.23177087 0 32 0 0 (If the authentication realm specified in the req-A1 request is not the expected one, send a) A
44 -647.2 M
(401-B0 \(or 200-Optional-B0\) response. ) S
33 -657.8 M
gsave
0 setgray
newpath
33.0 -657.800781 2.75 0 360 arc
closepath
stroke
grestore
44 -661.4 M
(If the server cannot validate the field wa, send a 401-B0 response. ) S
44 -662.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 12 -) S
0 setgray
88 -8 M
grestore
pgsave restore N
%%Page: 13 13
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
33 -9.6 M
gsave
0 setgray
newpath
33.0 -9.5703125 2.75 0 360 arc
closepath
stroke
grestore
44 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(If the received user name is invalid, send a fake 401-B1 response. ) S
33 -23.8 M
gsave
0 setgray
newpath
33.0 -23.7695312 2.75 0 360 arc
closepath
stroke
grestore
44 -27.4 M
11 0 Nf
(Otherwise, send a 401-B1 ) S
(response.) S
11 -38 M
gsave
0 setgray
newpath
11.0 -37.96875 2.75 0 360 arc
closepath
fill
grestore
22 -41.6 M
(When the server receives a req-A3 request: ) S
33 -52.2 M
gsave
0 setgray
newpath
33.0 -52.1679688 2.75 0 360 arc
closepath
stroke
grestore
44 -55.8 M
2.40655041 0 32 0 0 (If the requested resource is not protected by the Mutual Authentication, send a normal) A
44 -69 M
(response. ) S
33 -79.6 M
gsave
0 setgray
newpath
33.0 -79.5664062 2.75 0 360 arc
closepath
stroke
grestore
44 -83.2 M
1.06875 0 32 0 0 (If the authentication realm specified in the req-A3 request is non the expected one, send a) A
44 -96.4 M
(401-B0 \(or 200-Optional-B0\) response. ) S
33 -107 M
gsave
0 setgray
newpath
33.0 -106.964844 2.75 0 360 arc
closepath
stroke
grestore
44 -110.6 M
(If the received sid is invalid, inactive or unknown, send a 401-B0-stale response. ) S
33 -121.2 M
gsave
0 setgray
newpath
33.0 -121.164062 2.75 0 360 arc
closepath
stroke
grestore
44 -124.8 M
2.39575195 0 32 0 0 (If the received oa is invalid, or the sid corresponds to a fake session generated for an) A
44 -138 M
(unknown user, send a 401-B0 response. ) S
33 -148.6 M
gsave
0 setgray
newpath
33.0 -148.5625 2.75 0 360 arc
closepath
stroke
grestore
44 -152.2 M
(If the received oa is correct, send a 200-B4 ) S
(response.) S
0 -163.2 M
[/View [/XYZ -4 593.808594 null] /Dest /36 /DEST pdfmark
0 -163.2 M
[/View [/XYZ -4 593.808594 null] /Dest /37 /DEST pdfmark
0 -182.2 M
%%IncludeResource: font Times-Bold
15 2 Nf
(7.) S
[/View [/XYZ -4 592.808594 null] /Dest /138 /DEST pdfmark
( Authentication-Control ) S
(header) S
0 -206.4 M
11 0 Nf
3.42513013 0 32 0 0 (The Authentication-Control header gives more precise control for the client behavior for Web) A
0 -219.6 M
2.21754813 0 32 0 0 (applications using Mutual Access Control Protocol. This headers may usually be generated in an) A
0 -232.8 M
(application layer, as opposed to WWW-Authenticate headers which will be generated by Web servers. ) S
0 -257 M
2.52704334 0 32 0 0 (Support of this header is OPTIONAL for interactive clients and not required for non-interactive) A
0 -270.2 M
1.88972354 0 32 0 0 (clients. Web applications SHOULD consider security impacts of behavior of clients which do not) A
0 -283.4 M
(support this header. ) S
0 -307.6 M
1.3040365 0 32 0 0 (The "auth-scheme" of this header and other authentication-related headers within the same message) A
0 -320.8 M
1.08723962 0 32 0 0 (MUST be equal. This document does not define any behavior associated with this header, when the) A
0 -334 M
("auth-scheme" of this header is not "Mutual". ) S
0 -345 M
[/View [/XYZ -4 412.015625 null] /Dest /38 /DEST pdfmark
0 -345 M
[/View [/XYZ -4 412.015625 null] /Dest /39 /DEST pdfmark
0 -364 M
15 2 Nf
(7.1.) S
[/View [/XYZ -4 411.015625 null] /Dest /139 /DEST pdfmark
( Location-when-unauthenticated ) S
(field) S
0 -388.2 M
11 0 Nf
(Authentication-Control: Mutual) S
0 -401.4 M
(location-when-unauthenticated="http://www.example.com/login.html" ) S
0 -425.6 M
2.11328125 0 32 0 0 (The field "location-when-unauthenticated" specifies a location which any unauthenticated users of) A
0 -438.8 M
1.12339151 0 32 0 0 (clients should be redirected to. This header may be used, for example, when there is a central login) A
0 -452 M
1.19370401 0 32 0 0 (page for the whole Web application. The value of this field MUST be a string contains an absolute) A
0 -465.2 M
1.29665804 0 32 0 0 (URL location. If a given URL is not absolute, clients MAY consider it as a relative URL from the) A
0 -478.4 M
1.27005208 0 32 0 0 (current location. This fields SHOULD only be used with 401-B0 messages; use of this header with) A
0 -491.6 M
(200-optional-B0 messages are not recommended. ) S
0 -515.8 M
0.0417352 0 32 0 0 (When a client receives a message with this field, if and only if the client's state after the processing the) A
0 -529 M
0.746916115 0 32 0 0 (response is either 12 or 13 \(i.e., a state in which the client will process response body and ask user's) A
0 -542.2 M
1.42838538 0 32 0 0 (password\), the client will treat the whole response as if it were a 303 "See Other" response with a) A
0 -555.4 M
0.261488974 0 32 0 0 (Location header with the value of this field \(i.e., client will be redirected to the specified location with) A
0 -568.6 M
0.519791663 0 32 0 0 (a GET request\). Unlike a normal 303 response, if the client can proceed authentication without user's) A
0 -581.8 M
(interaction \(like states 3, 4, 8, 9 and 10\), this field is ignored. ) S
0 -606 M
0.45 0 32 0 0 (The specified location SHOULD be included in a set of locations specified in the "auth-domain" field) A
0 -619.2 M
(of the corresponding 401-B0 message. If this is not satisfied, clients MAY ignore this field. ) S
0 -630.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 13 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 14 14
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(If there is a 200-B4, 401-B0-stale or 401-B1 message with this field, clients MUST ignore this field. ) S
0 -24.2 M
[/View [/XYZ -4 732.800781 null] /Dest /40 /DEST pdfmark
0 -24.2 M
[/View [/XYZ -4 732.800781 null] /Dest /41 /DEST pdfmark
0 -43.2 M
%%IncludeResource: font Times-Bold
15 2 Nf
(7.2.) S
[/View [/XYZ -4 731.800781 null] /Dest /140 /DEST pdfmark
( Location-when-logout ) S
(field) S
0 -67.4 M
11 0 Nf
(Authentication-Control: Mutual location-when-logout="http://www.example.com/byebye.html" ) S
0 -91.6 M
1.03013396 0 32 0 0 (The field "location-when-logout" specifies a location where the client is to be redirected when users) A
0 -104.8 M
0.312255859 0 32 0 0 (request logout explicitly. The value of this field MUST be a string contains an absolute URL location.) A
0 -118 M
0.788628459 0 32 0 0 (If a given URL is not absolute, clients MAY consider it as a relative URL from the current location.) A
0 -131.2 M
(This fields SHOULD only be used with 200-B4 messages. ) S
0 -155.4 M
2.41380215 0 32 0 0 (When users of a client request to terminate an authentication session, and if the client currently) A
0 -168.6 M
1.44577205 0 32 0 0 (displays a page supplied by a response with this field, the client will be redirected to the specified) A
0 -181.8 M
0.868652344 0 32 0 0 (location by a new GET request \(like received a 303 response\), instead of reloading the page without) A
0 -195 M
3.06610584 0 32 0 0 (authentication credentials. It is recommendable for Web applications to send this field with an) A
0 -208.2 M
(appropriate value for any responses for non-GET requests. ) S
0 -232.4 M
0.0261230469 0 32 0 0 (If there is a 401-B0, 401-B1, 401-B0-stale or normal 200 message with this field, clients MUST ignore) A
0 -245.6 M
(this field. ) S
0 -256.6 M
[/View [/XYZ -4 500.410156 null] /Dest /42 /DEST pdfmark
0 -256.6 M
[/View [/XYZ -4 500.410156 null] /Dest /43 /DEST pdfmark
0 -275.6 M
15 2 Nf
(7.3.) S
[/View [/XYZ -4 499.410156 null] /Dest /141 /DEST pdfmark
( ) S
(Logout-timeout) S
0 -299.8 M
11 0 Nf
(Authentication-Control: Mutual logout-timeout=300 ) S
0 -324 M
6.78683043 0 32 0 0 (The field "logout-timeout" has the same meaning as the field of the same name in) A
0 -337.2 M
1.15384614 0 32 0 0 ("Authentication-info" headers. This fields will be used with 200-B4 messages. If both are specified,) A
0 -350.4 M
(clients are recommended to use the one with the smaller value. ) S
0 -361.4 M
[/View [/XYZ -4 395.613281 null] /Dest /44 /DEST pdfmark
0 -361.4 M
[/View [/XYZ -4 395.613281 null] /Dest /45 /DEST pdfmark
0 -380.4 M
15 2 Nf
(8.) S
[/View [/XYZ -4 394.613281 null] /Dest /142 /DEST pdfmark
( Authentication ) S
(Algorithms) S
0 -404.6 M
11 0 Nf
0.81640625 0 32 0 0 (This document specifies only one family of the authentication algorithm. The family consists of four) A
0 -417.8 M
4.74726582 0 32 0 0 (authentication algorithms, which only differ in underlying mathematical groups and security) A
0 -431 M
(parameters. The algorithms do not add any additional fields. The tokens for algorithms ) S
(are) S
11 -451.6 M
gsave
0 setgray
newpath
11.0 -451.554688 2.75 0 360 arc
closepath
fill
grestore
22 -455.2 M
("iso11770-4-ec-p256" for the 256-bit prime-field elliptic-curve setting. ) S
11 -465.8 M
gsave
0 setgray
newpath
11.0 -465.753906 2.75 0 360 arc
closepath
fill
grestore
22 -469.4 M
("iso11770-4-ec-p521" for the 521-bit prime-field elliptic-curve setting. ) S
11 -480 M
gsave
0 setgray
newpath
11.0 -479.953125 2.75 0 360 arc
closepath
fill
grestore
22 -483.6 M
("iso11770-4-dl-2048" for the 2048-bit discrete-logarithm setting. ) S
11 -494.2 M
gsave
0 setgray
newpath
11.0 -494.152344 2.75 0 360 arc
closepath
fill
grestore
22 -497.8 M
("iso11770-4-dl-4096" for the 4096-bit discrete-logarithm ) S
(setting.) S
0 -522 M
0.059495192 0 32 0 0 (For the elliptic-curve settings, the underlying fields and the curves used for elliptic-curve cryptography) A
0 -535.2 M
1.30639648 0 32 0 0 (are the prime field and the Curve P-256 and P-521, respectively, specified in the appendix of ) A
1.30639648 0 32 0 0 (FIPS) A
[/Rect [430.972656 -537.929688 454.972656 -525.829712] /Subtype /Link /Border [0 0 1] /Dest /82 /ANN pdfmark
0 -548.4 M
0.666466355 0 32 0 0 (PUB ) A
0.666466355 0 32 0 0 (186-2) A
[/Rect [-1.0 -551.128906 51.4648438 -539.028931] /Subtype /Link /Border [0 0 1] /Dest /82 /ANN pdfmark
0.666466355 0 32 0 0 ( [FIPS.186-2.2000] specification. The hash functions H are SHA-256 for P-256 curve and) A
0 -561.6 M
4.2294035 0 32 0 0 (SHA-512 for P-521 curve, respectively, defined in ) A
4.2294035 0 32 0 0 (FIPS PUB ) A
4.2294035 0 32 0 0 (180-2) A
[/Rect [253.679688 -564.328125 338.683594 -552.228149] /Subtype /Link /Border [0 0 1] /Dest /81 /ANN pdfmark
4.2294035 0 32 0 0 ( [FIPS.180-2.2002]. The) A
0 -574.8 M
(representation of fields wa, wb, oa, and ob is hex-fixed-number. ) S
0 -599 M
3.174716 0 32 0 0 (For discrete-logarithm settings, the underlying groups are 2048-bit and 4096-bit MODP groups) A
0 -612.2 M
2.38371396 0 32 0 0 (defined in ) A
2.38371396 0 32 0 0 ([RFC3526]) A
[/Rect [50.8007812 -614.925781 102.90625 -602.825806] /Subtype /Link /Border [0 0 1] /Dest /85 /ANN pdfmark
2.38371396 0 32 0 0 ( respectively. See ) A
2.38371396 0 32 0 0 (Appendix\240A) A
[/Rect [188.066406 -614.925781 244.136719 -602.825806] /Subtype /Link /Border [0 0 1] /Dest /100 /ANN pdfmark
2.38371396 0 32 0 0 ( for the exact specification of the group and) A
0 -625.4 M
0.458333343 0 32 0 0 (associated parameters. The hash functions H are SHA-256 for the 2048-bit field and SHA-512 for the) A
0 -638.6 M
(4096-bit field, respectively. The representation of fields wa, wb, oa, and ob is base64-fixed-number. ) S
0 -638.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 14 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 15 15
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.728365362 0 32 0 0 (The clients SHOULD support at least "iso11770-4-dl-2048" algorithm, and are advised to support all) A
0 -26.4 M
2.56818175 0 32 0 0 (of the above four algorithms whenever possible. The server software implementations SHOULD) A
0 -39.6 M
(support at least "iso11770-4-dl-2048" algorithm, unless it is known that users will not use it. ) S
0 -63.8 M
6.65332031 0 32 0 0 (This algorithm uses Key Agreement Mechanism 3 \(KAM3\) defined in Section 6.3 of ) A
0 -77 M
(ISO/IEC-11770-4) S
[/Rect [-1.0 -79.7460938 79.8046875 -67.6460953] /Subtype /Link /Border [0 0 1] /Dest /93 /ANN pdfmark
( [ISO.11770-4.2006] as a basis. ) S
0 -88 M
[/View [/XYZ -4 669.003906 null] /Dest /46 /DEST pdfmark
0 -88 M
[/View [/XYZ -4 669.003906 null] /Dest /47 /DEST pdfmark
0 -107 M
%%IncludeResource: font Times-Bold
15 2 Nf
(8.1.) S
[/View [/XYZ -4 668.003906 null] /Dest /143 /DEST pdfmark
( Common ) S
(functions) S
0 -131.2 M
11 0 Nf
(The password-based string pi used by this authentication is derived in the following manner: ) S
0 -155.4 M
(pi = H\(VS\(algorithm\) | VS\(auth-domain\) | VS\(realm\) | VS\(username\) | VS\(ph\(password\)\). ) S
0 -179.6 M
1.23125 0 32 0 0 (The values of algorithm, realm and auth-domain are taken from the values contained in the 401-B0) A
0 -192.8 M
0.685763896 0 32 0 0 (message. When pi is used in the context of an octet string, it SHALL have the natural length derived) A
0 -206 M
0.617393076 0 32 0 0 (from the size of the output of function H \(e.g. 32 octets for SHA-256\). The function ph is defined by) A
0 -219.2 M
(the value of the pwd-hash field given in a 401-B0 message. ) S
0 -243.4 M
2.10491061 0 32 0 0 (The function VI encodes natural numbers into octet strings in the following manner: integers are) A
0 -256.6 M
0.12109375 0 32 0 0 (represented in big-endian radix-128 string, where each digit is represented by a octet 0x80\2350xff except) A
0 -269.8 M
1.3190918 0 32 0 0 (the last digit represented by 0x00\2350x7f. The first octet MUST NOT be 0x80. For example, VI\(i\) =) A
0 -283 M
1.4193275 0 32 0 0 (octet\(i\) for i < 128, and VI\(i\) = octet\(0x80 | \(i >> 7\)\) | octet\(i & 127\) for 128 <= i < 16384. This) A
0 -296.2 M
0.827880859 0 32 0 0 (encoding is the same as the one used for subcomponents of object identifiers in ) A
0.827880859 0 32 0 0 (the ASN.1 ) A
0.827880859 0 32 0 0 (encoding) A
[/Rect [361.789062 -298.9375 454.941406 -286.837494] /Subtype /Link /Border [0 0 1] /Dest /94 /ANN pdfmark
0 -309.4 M
([ITU.X690.1994]. ) S
0 -333.6 M
1.03487718 0 32 0 0 (The function VS encodes variable-length octet string into decodable octet string, as in the following) A
0 -346.8 M
(manner: ) S
0 -371 M
(VS\(s\) = VI\(length\(s\)\) | s ) S
0 -395.2 M
(where length\(s\) is a number of octets \(not characters\) in s. ) S
0 -419.4 M
0.824869812 0 32 0 0 (The function OCTETS converts an integer to corresponding radix-256 big-endian octet string having) A
0 -432.6 M
0.803466797 0 32 0 0 (its natural length: See ) A
0.803466797 0 32 0 0 (Section\2403.2) A
[/Rect [100.550781 -435.332031 152.039062 -423.232025] /Subtype /Link /Border [0 0 1] /Dest /13 /ANN pdfmark
0.803466797 0 32 0 0 ( for the definition of the "natural length". Note that this is different) A
0 -445.8 M
(from the function GE2OS_x in ) S
([ISO.11770-4.2006]) S
[/Rect [137.984375 -448.53125 229.179688 -436.431244] /Subtype /Link /Border [0 0 1] /Dest /93 /ANN pdfmark
(, which takes the shortest ) S
(representation.) S
0 -470 M
0.0869140625 0 32 0 0 (The equations for J, w_A, T, z, and w_B are specified differently for the discrete-logarithm setting and) A
0 -483.2 M
2.735677 0 32 0 0 (the elliptic-curve setting based on ) A
2.735677 0 32 0 0 ([ISO.11770-4.2006]) A
[/Rect [163.851562 -485.929688 255.046875 -473.829681] /Subtype /Link /Border [0 0 1] /Dest /93 /ANN pdfmark
2.735677 0 32 0 0 (. These equations are defined later in this) A
0 -496.4 M
(section. ) S
0 -520.6 M
0.218994141 0 32 0 0 (The values o_A and o_B are derived by the following equation. Note that these equations are different) A
0 -533.8 M
(from ones specified in ) S
([ISO.11770-4.2006]) S
[/Rect [99.7851562 -536.527344 190.980469 -524.427368] /Subtype /Link /Border [0 0 1] /Dest /93 /ANN pdfmark
(. ) S
0 -558 M
(o_A = H\(octet\(04\) | OCTETS\(w_A\) | OCTETS\(w_B\) | OCTETS\(z\) | VI\(nc\) | VS\(v\)\) ) S
0 -571.2 M
(o_B = H\(octet\(03\) | OCTETS\(w_A\) | OCTETS\(w_B\) | OCTETS\(z\) | VI\(nc\) | VS\(v\)\) ) S
0 -582.2 M
[/View [/XYZ -4 174.824219 null] /Dest /48 /DEST pdfmark
0 -582.2 M
[/View [/XYZ -4 174.824219 null] /Dest /49 /DEST pdfmark
0 -601.2 M
15 2 Nf
(8.2.) S
[/View [/XYZ -4 173.824219 null] /Dest /144 /DEST pdfmark
( Functions for discrete-logarithm ) S
(settings) S
0 -625.4 M
11 0 Nf
0.471726179 0 32 0 0 (In this section, the equation \(x / y mod z\) denotes a natural number w less than z which satisfies \(w *) A
0 -638.6 M
(y\) mod z = x mod z. ) S
0 -638.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 15 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 16 16
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(For the discrete-logarithm, we refer some of the domain parameters by the following symbols: ) S
11 -33.8 M
gsave
0 setgray
newpath
11.0 -33.7695312 2.75 0 360 arc
closepath
fill
grestore
22 -37.4 M
(q: for "the prime" of the group. ) S
11 -48 M
gsave
0 setgray
newpath
11.0 -47.96875 2.75 0 360 arc
closepath
fill
grestore
22 -51.6 M
(g: for "the generator" associated with the group. ) S
11 -62.2 M
gsave
0 setgray
newpath
11.0 -62.1679688 2.75 0 360 arc
closepath
fill
grestore
22 -65.8 M
(r: for the order of the subgroup generated by ) S
(g.) S
0 -90 M
(The function J is defined as ) S
0 -114.2 M
(J\(pi\) = g^\(pi\) mod q. ) S
0 -138.4 M
(The value of w_A is derived as ) S
0 -162.6 M
(w_A = g^\(s_A\) mod q, ) S
0 -186.8 M
0.109188989 0 32 0 0 (where s_A is a random integer within range [1, r-1] and r is the size of the subgroup generated by g. In) A
0 -200 M
(addition, s_A MUST be larger than log\(q\)/log\(g\) \(so that g^\(s_A\) > q\). ) S
0 -224.2 M
2.07927394 0 32 0 0 (The value of w_A SHALL satisfy 1 < w_A < q-1. The server MUST check this condition upon) A
0 -237.4 M
(reception. ) S
0 -261.6 M
(The value of w_B is derived from J\(pi\) and w_A as: ) S
0 -285.8 M
(w_B = \(J\(pi\) * w_A^\(H\(octet\(1\) | OCTETS\(w_A\)\)\)\)^s_B mod q, ) S
0 -310 M
0.286328137 0 32 0 0 (where s_B is a random number within range [1, r-1]. The value of w_B MUST satisfy 1 < w_B < q-1.) A
0 -323.2 M
0.0744357631 0 32 0 0 (If this condition is not hold, the server MUST retry with another value of s_B. The client MUST check) A
0 -336.4 M
(this condition upon reception. ) S
0 -360.6 M
(The value z in the client side is derived by the following equation: ) S
0 -384.8 M
0.037224263 0 32 0 0 (z = w_B^\(\(s_A + H\(octet\(2\) | OCTETS\(w_A\) | OCTETS\(w_B\)\)\) / \(s_A * H\(octet\(1\) | w_A\) + pi\) mod) A
0 -398 M
(r\) mod q. ) S
0 -422.2 M
(The value z in the server side is derived by the following equation: ) S
0 -446.4 M
(z = \(w_A * g^\(H\(octet\(2\) | OCTETS\(w_A\) | OCTETS\(w_B\)\)\)\)^s_B mod q. ) S
0 -457.4 M
[/View [/XYZ -4 299.617188 null] /Dest /50 /DEST pdfmark
0 -457.4 M
[/View [/XYZ -4 299.617188 null] /Dest /51 /DEST pdfmark
0 -476.4 M
%%IncludeResource: font Times-Bold
15 2 Nf
(8.3.) S
[/View [/XYZ -4 298.617188 null] /Dest /145 /DEST pdfmark
( Functions for elliptic-curve ) S
(settings) S
0 -500.6 M
11 0 Nf
(For the elliptic-curve setting, we refer some of the domain parameters by the following symbols: ) S
11 -521.2 M
gsave
0 setgray
newpath
11.0 -521.152344 2.75 0 360 arc
closepath
fill
grestore
22 -524.8 M
(q: for the prime used to define the field, ) S
11 -535.4 M
gsave
0 setgray
newpath
11.0 -535.351562 2.75 0 360 arc
closepath
fill
grestore
22 -539 M
(G: for the defined point called the generator, ) S
11 -549.6 M
gsave
0 setgray
newpath
11.0 -549.550781 2.75 0 360 arc
closepath
fill
grestore
22 -553.2 M
(r: for the order of the subfield generated by ) S
(G.) S
0 -577.4 M
0.138085932 0 32 0 0 (The function P\(p\) converts a curve point p to an integer representing the point p, by computing x * 2 +) A
0 -590.6 M
0.548117876 0 32 0 0 (\(y mod 2\), where \(x, y\) are the coordinates of the point p. P'\(z\) is the inverse of function P, that is, it) A
0 -603.8 M
1.19419646 0 32 0 0 (converts an integer z to a point p which satisfies P\(p\) = z. If such p is exist, it is uniquely defined.) A
0 -617 M
5.48723936 0 32 0 0 (Otherwise, z does not represent a valid curve point. The operation [x] * p denotes an) A
0 -630.2 M
3.16471362 0 32 0 0 (integer-multiplication of point p: it calculates p + p + ... \(x times\) ... + p. See literatures on) A
0 -643.4 M
1.16346157 0 32 0 0 (elliptic-curve cryptography for the exact algorithms for those. 0_E represents the infinity point. The) A
0 -656.6 M
0.279891312 0 32 0 0 (equation \(x / y mod z\) denotes an natural number w less than z which satisfies \(w * y\) mod z = x mod) A
0 -669.8 M
(z. ) S
0 -669.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 16 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 17 17
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(the function J is defined as ) S
0 -37.4 M
(J\(pi\) = [pi] * G. ) S
0 -61.6 M
(The value of w_A is derived as ) S
0 -85.8 M
(w_A = P\(W_A\), where W_A = [s_A] x G. ) S
0 -110 M
0.178602427 0 32 0 0 (where s_A is a random number within range [1, r-1]. The value of w_A MUST represent a valid curve) A
0 -123.2 M
(point, and W_A SHALL NOT be 0_E. The server MUST check this condition upon reception. ) S
0 -147.4 M
(The value of w_B is derived from J\(pi\) and W_A = P'\(w_A\) as: ) S
0 -171.6 M
(w_B = P\(W_B\), where W_B = [s_B] * \(J\(pi\) + [H\(octet\(1\) | OCTETS\(w_A\)\)] * W_A\). ) S
0 -195.8 M
0.245876729 0 32 0 0 (where s_B is a random number within range [1, r-1]. The value of w_B MUST represent a valid curve) A
0 -209 M
1.59049475 0 32 0 0 (point and satisfy [4] * P'\(w_B\) <> 0_E. If this condition is not hold, the server MUST retry with) A
0 -222.2 M
(another value of s_B. The client MUST check this condition upon reception. ) S
0 -246.4 M
(The value z in the client side is derived by the following equation: ) S
0 -270.6 M
0.346354157 0 32 0 0 (z = P\([\(s_A + H\(octet\(2\) | OCTETS\(w_A\) | OCTETS\(w_B\)\)\) / \(s_A * H\(octet\(1\) | OCTETS\(w_A\)\) +) A
0 -283.8 M
(pi\) mod r] * W_B\), where W_B = P'\(w_B\). ) S
0 -308 M
(The value z in the server side is derived by the following equation: ) S
0 -332.2 M
(z = P\([s_B] * \(W_A + [H\(octet\(2\) | OCTETS\(w_A\) | OCTETS\(w_B\)\)] * G\)\), where W_A = P'\(w_A\). ) S
0 -343.2 M
[/View [/XYZ -4 413.8125 null] /Dest /52 /DEST pdfmark
0 -343.2 M
[/View [/XYZ -4 413.8125 null] /Dest /53 /DEST pdfmark
0 -362.2 M
%%IncludeResource: font Times-Bold
15 2 Nf
(9.) S
[/View [/XYZ -4 412.8125 null] /Dest /146 /DEST pdfmark
( Authentication ) S
(Realms) S
0 -386.4 M
11 0 Nf
0.740349293 0 32 0 0 (In this protocol, an "authentication realm" is defined as a set of resources \(URIs\) for which the same) A
0 -399.6 M
0.0681152344 0 32 0 0 (set of user names and passwords is valid for. If the server requests authentication for the authentication) A
0 -412.8 M
1.46549475 0 32 0 0 (realm which the client is already authenticated, the client will automatically perform authentication) A
0 -426 M
2.63671875 0 32 0 0 (using the already-known secrets. On the contrary, for the different authentication realms, clients) A
0 -439.2 M
(SHOULD NOT automatically reuse the usernames and passwords for another realm. ) S
0 -463.4 M
2.12109375 0 32 0 0 (Just like Basic and Digest access authentication protocol, Mutual authentication protocol supports) A
0 -476.6 M
2.26652646 0 32 0 0 (multiple, separate authentication realms to be set up inside each hosts. Furthermore, the protocol) A
0 -489.8 M
(supports that a single authentication realm spans over several hosts in the same Internet domain. ) S
0 -514 M
0.777043283 0 32 0 0 (Each authentication realm is defined and distinguished by the triple of an "authentication algorithm",) A
0 -527.2 M
0.249674484 0 32 0 0 (an "authentication domain", a "realm" parameter. Server operators are NOT RECOMMENDED to use) A
0 -540.4 M
3.20823312 0 32 0 0 (the same pair of an authentication domain and a realm for different authentication algorithms,) A
0 -553.6 M
(however. ) S
0 -577.8 M
0.833533645 0 32 0 0 (Authentication algorithms are defined in ) A
0.833533645 0 32 0 0 (Section\2404) A
[/Rect [184.273438 -580.527344 227.511719 -568.427368] /Subtype /Link /Border [0 0 1] /Dest /17 /ANN pdfmark
0.833533645 0 32 0 0 ( and ) A
0.833533645 0 32 0 0 (Section\2408) A
[/Rect [248.558594 -580.527344 291.796875 -568.427368] /Subtype /Link /Border [0 0 1] /Dest /44 /ANN pdfmark
0.833533645 0 32 0 0 (. Realm parameters are just a string,) A
0 -591 M
(as defined in ) S
(Section\2404) S
[/Rect [57.9453125 -593.726562 101.183594 -581.626587] /Subtype /Link /Border [0 0 1] /Dest /17 /ANN pdfmark
(. Authentication domains are described in the rest of this section. ) S
0 -615.2 M
1.07924104 0 32 0 0 (An authentication domain specifies the range of hosts which the authentication realm spans over. In) A
0 -628.4 M
(the protocol, it MUST currently be one of the following strings. ) S
0 -628.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 17 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 18 18
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -9.6 M
gsave
0 setgray
newpath
11.0 -9.5703125 2.75 0 360 arc
closepath
fill
grestore
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.616286039 0 32 0 0 (the string in format "<scheme>://<host>:<port>", where scheme, host and port are the URI parts) A
22 -26.4 M
0.00759548601 0 32 0 0 (of the requested URI. Even if the request-URI does not have a port part, the string will include the) A
22 -39.6 M
1.37224269 0 32 0 0 (one \(i.e. 80 for http and 443 for https\). Use this when authentication is only valid for specific) A
22 -52.8 M
(protocol \(such as https\). ) S
11 -63.4 M
gsave
0 setgray
newpath
11.0 -63.3671875 2.75 0 360 arc
closepath
fill
grestore
22 -67 M
0.248535156 0 32 0 0 (The "host" part of the requested URI. This is the default value. Authentication realms in this kind) A
22 -80.2 M
0.902864575 0 32 0 0 (of authentication domain will span over several protocols \(i.e. http and https\) and ports, but not) A
22 -93.4 M
(over different hosts. ) S
11 -104 M
gsave
0 setgray
newpath
11.0 -103.964844 2.75 0 360 arc
closepath
fill
grestore
22 -107.6 M
2.31738281 0 32 0 0 (String in format "*.<domain-postfix>", where "domain-postfix" is either the host part of the) A
22 -120.8 M
2.45078135 0 32 0 0 (requested URI, or any domain in which the requested host is included \(this means that the) A
22 -134 M
0.418402791 0 32 0 0 (specification "*.example.com" is valid for all of hosts "www.example.com", "web.example.com") A
22 -147.2 M
0.37109375 0 32 0 0 (and "example.com"\). The domain-postfix must be equal to or included in a valid Internet domain) A
22 -160.4 M
1.57682288 0 32 0 0 (assigned to specific organization: if the clients can know by some way \(such as blacklists for) A
22 -173.6 M
0.802343726 0 32 0 0 (HTTP cookies\) that the specified domain is not to be assigned to any specific organization \(e.g.) A
22 -186.8 M
("*.com" or "*.jp"\), the client is RECOMMENDED to reject the authentication request. ) S
0 -211 M
0.684709847 0 32 0 0 (In the above specifications, every "scheme", "host" and "domain" MUST be in lower-case, and IDNs) A
0 -224.2 M
2.41826916 0 32 0 0 (MUST be represented in ) A
2.41826916 0 32 0 0 (puny-code) A
[/Rect [119.84375 -226.9375 168.269531 -214.837494] /Subtype /Link /Border [0 0 1] /Dest /97 /ANN pdfmark
2.41826916 0 32 0 0 ( [RFC3492]. All "port"s MUST be in the shortest, unsigned,) A
0 -237.4 M
1.51399744 0 32 0 0 (decimal number notation. Not obeying these requirements will cause failure of valid authentication) A
0 -250.6 M
(attempts. ) S
0 -261.6 M
[/View [/XYZ -4 495.414062 null] /Dest /54 /DEST pdfmark
0 -261.6 M
[/View [/XYZ -4 495.414062 null] /Dest /55 /DEST pdfmark
0 -280.6 M
%%IncludeResource: font Times-Bold
15 2 Nf
(9.1.) S
[/View [/XYZ -4 494.414062 null] /Dest /147 /DEST pdfmark
( Resolving ) S
(ambiguities) S
0 -304.8 M
11 0 Nf
3.77929688 0 32 0 0 (In the above definition of authentication domains, several domains will overwrap each other.) A
0 -318 M
1.47767854 0 32 0 0 (Depending on the "path" parameters given in the "401-B1" message \(see ) A
1.47767854 0 32 0 0 (Section\2404) A
[/Rect [337.691406 -320.734375 380.929688 -308.634369] /Subtype /Link /Border [0 0 1] /Dest /17 /ANN pdfmark
1.47767854 0 32 0 0 (\), There may be) A
0 -331.2 M
0.846093774 0 32 0 0 (several candidate when the client is to send a request with authentication credentials included \(at the) A
0 -344.4 M
(Steps 3 and 4 of the decision procedure shown in ) S
(Section\2405) S
[/Rect [217.703125 -347.132812 260.941406 -335.032806] /Subtype /Link /Border [0 0 1] /Dest /31 /ANN pdfmark
(\). ) S
0 -368.6 M
(If such choices are required, the following procedure SHOULD be ) S
(followed.) S
11 -389.2 M
gsave
0 setgray
newpath
11.0 -389.152344 2.75 0 360 arc
closepath
fill
grestore
22 -392.8 M
0.90625 0 32 0 0 (If the client has previously sent a request to the same URI, and it remembers the authentication) A
22 -406 M
(realm requested by 401-B0 messages at that time, use that realm. ) S
11 -416.6 M
gsave
0 setgray
newpath
11.0 -416.550781 2.75 0 360 arc
closepath
fill
grestore
22 -420.2 M
1.7922585 0 32 0 0 (In other cases, use one of authentication realms which represents most-specific authentication) A
22 -433.4 M
1.77163458 0 32 0 0 (domains. In the list of possible domain specifications shown above, one described earlier has) A
22 -446.6 M
(priority over ones described after that. ) S
22 -459.8 M
0.201923072 0 32 0 0 (If there are several choices with different domain-postfix specifications, the one which has longer) A
22 -473 M
(domain possible has priority over ones with shorter domain-postfix. ) S
11 -483.5 M
gsave
0 setgray
newpath
11.0 -483.546875 2.75 0 360 arc
closepath
fill
grestore
22 -487.2 M
1.77929688 0 32 0 0 (If there are realms with the same specifications of authentication domain, there is no defined) A
22 -500.4 M
(priority: client MAY choose any one of possible choices. ) S
0 -524.6 M
0.591346145 0 32 0 0 (If possible, server operators are recommended to avoid such ambiguities by setting "path" parameters) A
0 -537.8 M
(properly. ) S
0 -548.8 M
[/View [/XYZ -4 208.226562 null] /Dest /56 /DEST pdfmark
0 -548.8 M
[/View [/XYZ -4 208.226562 null] /Dest /57 /DEST pdfmark
0 -567.8 M
15 2 Nf
(10.) S
[/View [/XYZ -4 207.226562 null] /Dest /148 /DEST pdfmark
( Validation ) S
(Methods) S
0 -592 M
11 0 Nf
1.56730771 0 32 0 0 (The "validation method" specifies a method to "relate" the mutual authentication processed by this) A
0 -605.2 M
3.67773438 0 32 0 0 (protocol with other authentications already performed in the underlying layers and to prevent) A
0 -618.4 M
(man-in-the-middle attacks. It decides the value of v which is an input to authentication protocols. ) S
0 -629.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 18 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 19 19
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The valid tokens for the validation field and corresponding values of v are as follows: ) S
11 -37.4 M
(host: ) S
33 -50.6 M
8.47727299 0 32 0 0 (hostname validation: v will be the ASCII string in the following format:) A
33 -63.8 M
2.62304688 0 32 0 0 ("scheme://host:port", where scheme, host and port are the URI parts correspond to the) A
33 -77 M
2.41183043 0 32 0 0 (currently accessing resource. The scheme and host are lower-case, and the port is in a) A
33 -90.2 M
1.44977677 0 32 0 0 (shortest decimal representation. Even if the request-URI does not have a port part, v will) A
33 -103.4 M
(include the one. ) S
11 -116.6 M
(tls-cert: ) S
33 -129.8 M
1.87866211 0 32 0 0 (TLS certificate validation: v will be the octet string of the hash value of the public key) A
33 -143 M
2.68131518 0 32 0 0 (certificate used in underlying ) A
2.68131518 0 32 0 0 (TLS) A
[/Rect [174.039062 -145.742188 195.589844 -133.642181] /Subtype /Link /Border [0 0 1] /Dest /89 /ANN pdfmark
2.68131518 0 32 0 0 ( [RFC5246] \(or SSL\) connection. The hash value is) A
33 -156.2 M
4.91764307 0 32 0 0 (defined as the value of the whole signed certificate \(specified as "Certificate" in ) A
33 -169.4 M
([RFC5280]) S
[/Rect [32.0 -172.140625 84.1054688 -160.040619] /Subtype /Link /Border [0 0 1] /Dest /99 /ANN pdfmark
(\), hashed by the hash algorithm specified by the authentication algorithm used. ) S
11 -182.6 M
(tls-key: ) S
33 -195.8 M
0.0296875 0 32 0 0 (TLS shared-key validation: v will be the octet string of the shared master secret negotiated in) A
33 -209 M
(underlying TLS \(or SSL\) ) S
(connection.) S
0 -233.2 M
2.89166665 0 32 0 0 (If the HTTP protocol is used on unencrypted channel, the validation type MUST be "host". If ) A
0 -246.4 M
0.808293283 0 32 0 0 (HTTP/TLS) A
[/Rect [-1.0 -249.136719 51.0976562 -237.036713] /Subtype /Link /Border [0 0 1] /Dest /84 /ANN pdfmark
0.808293283 0 32 0 0 ( [RFC2818] \(https\) protocol is used with server certificates, the validation type MUST be) A
0 -259.6 M
2.51367188 0 32 0 0 (either "tls-cert" or "tls-key". If HTTP/TLS protocol is used with anonymous Diffie-Hellman key) A
0 -272.8 M
(exchange, the validation type MUST be "tls-key" \(but see the note below\). ) S
0 -297 M
(Clients MUST validate this field upon reception of 401-B0 messages. ) S
0 -321.2 M
0.793526769 0 32 0 0 (However, when the protocol is used on web browsers with any scripting capabilities, the anonymous) A
0 -334.4 M
0.898158491 0 32 0 0 (Diffie-Hellman family of TLS \(or SSL\) cipher-suite MUST NOT be used even if "tls-key" validated) A
0 -347.6 M
2.12439895 0 32 0 0 (Mutual authentication has been employed, and the certificate shown in TLS \(or SSL\) negotiation) A
0 -360.8 M
0.933823526 0 32 0 0 (MUST be verified using PKI. For other systems, if the "tls-key" validation is used on TLS \(or SSL\)) A
0 -374 M
1.20833337 0 32 0 0 (protocol without certificate verification using PKI, those systems MUST ensure that all transactions) A
0 -387.2 M
1.56129813 0 32 0 0 (with authenticated peer servers MUST use and be validated by the Mutual authentication protocol,) A
0 -400.4 M
(regardless of the existence of the 401-B0 responses. ) S
0 -424.6 M
0.480189741 0 32 0 0 (The protocol defines two variants for validation on TLS connections. The method "tls-key" method is) A
0 -437.8 M
(more secure. However, there are some situations where tls-cert is more ) S
(preferable.) S
11 -458.3 M
gsave
0 setgray
newpath
11.0 -458.347656 2.75 0 360 arc
closepath
fill
grestore
22 -462 M
0.0490722656 0 32 0 0 (When TLS accelerating proxies are used. In this case, it is difficult for the authenticating server to) A
22 -475.2 M
1.04986215 0 32 0 0 (acquire the TLS key information which are used between the client and the proxy. It is not the) A
22 -488.4 M
(case for client-side "tunneling" proxies using CONNECT method extension of HTTP. ) S
11 -498.9 M
gsave
0 setgray
newpath
11.0 -498.945312 2.75 0 360 arc
closepath
fill
grestore
22 -502.6 M
(When a black-box implementation of the TLS protocol is used on either peer. ) S
0 -526.8 M
2.171875 0 32 0 0 (Implementations supporting Mutual authentication over https protocol SHOULD support "tls-cert") A
0 -540 M
0.873325884 0 32 0 0 (validation unless it is not applicable. Support for "tls-key" validation is OPTIONAL for both servers) A
0 -553.2 M
(and clients. ) S
0 -564.2 M
[/View [/XYZ -4 192.828125 null] /Dest /58 /DEST pdfmark
0 -564.2 M
[/View [/XYZ -4 192.828125 null] /Dest /59 /DEST pdfmark
0 -583.2 M
%%IncludeResource: font Times-Bold
15 2 Nf
(11.) S
[/View [/XYZ -4 191.828125 null] /Dest /149 /DEST pdfmark
( Session ) S
(Management) S
0 -607.4 M
11 0 Nf
2.39477539 0 32 0 0 (In the Mutual authentication protocol, a session represented by a sid is generated By the first 4) A
0 -620.6 M
2.3713541 0 32 0 0 (messages \(first request, 401-B0, req-A1 and 401-B1\). This session can be used for one or more) A
0 -633.8 M
3.47343755 0 32 0 0 (requests for resources protected by the same realm in the same server. Note that the session) A
0 -647 M
0.0570746511 0 32 0 0 (management is only an inside detail of the protocol and usually not visible to normal users. If a session) A
0 -660.2 M
1.55915177 0 32 0 0 (expires, the client and server will automatically reestablish another session without telling it to the) A
0 -660.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 19 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 20 20
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(users. ) S
0 -37.4 M
11 0 Nf
2.3742187 0 32 0 0 (The server SHOULD accept at least one req-A3 request for each session, given that the request) A
0 -50.6 M
1.19416356 0 32 0 0 (reaches the server in a time window specified by the timeout field in the 401-B1 message, and that) A
0 -63.8 M
0.966308594 0 32 0 0 (there are no emergent reasons \(such as flooding attacks\) to forget the sessions. After that, the server) A
0 -77 M
(MAY discard any session at any time and MAY send 401-B0-stale messages for any req-A3 requests. ) S
0 -101.2 M
0.241038606 0 32 0 0 (The client MAY send more than one requests using a single session specified by the sid. However, for) A
0 -114.4 M
0.775390625 0 32 0 0 (all such requests, the values of the nonce-counter \(nc field\) MUST be different from each other. The) A
0 -127.6 M
1.7414062 0 32 0 0 (server MUST check for duplication of the received nonces, and if any duplication is detected, the) A
0 -140.8 M
(server MUST discard the session and respond by a 401-B0-stale message. ) S
0 -165 M
0.567925334 0 32 0 0 (In addition, for each sessions, if the client has already sent a request with nonce value x, it SHOULD) A
0 -178.2 M
0.980239 0 32 0 0 (NOT send requests with a nonce value not larger than \(x - nc-window\). The server MAY reject any) A
0 -191.4 M
0.104567304 0 32 0 0 (requests with nonces violating this rule with 401-B0-stale responses. This restriction enables servers to) A
0 -204.6 M
(implement duplicated nonce detection in a constant memory. ) S
0 -228.8 M
0.186104909 0 32 0 0 (Values of nonces and nonce-related values MUST always be treated as natural numbers within infinite) A
0 -242 M
0.77734375 0 32 0 0 (range. Implementations using fixed-width integers or fixed-precision floating numbers MUST handle) A
0 -255.2 M
0.84765625 0 32 0 0 (integer overflow correctly and carefully. Such implementations are RECOMMENDED to accept any) A
0 -268.4 M
0.776227653 0 32 0 0 (larger values which cannot be represented in the fixed-width integer representations, as long as other) A
0 -281.6 M
0.0326450877 0 32 0 0 (limits such as internal header-length restrictions are not involved. The protocol is designed carefully so) A
0 -294.8 M
0.902622759 0 32 0 0 (that both clients and servers can implement the protocol only with fixed-width integers, by rounding) A
0 -308 M
(any overflowed values to the maximum possible value. ) S
0 -319 M
[/View [/XYZ -4 438.015625 null] /Dest /60 /DEST pdfmark
0 -319 M
[/View [/XYZ -4 438.015625 null] /Dest /61 /DEST pdfmark
0 -338 M
%%IncludeResource: font Times-Bold
15 2 Nf
(12.) S
[/View [/XYZ -4 437.015625 null] /Dest /150 /DEST pdfmark
( Optional Mutual ) S
(Authentication) S
0 -362.2 M
11 0 Nf
2.74080873 0 32 0 0 (In several Web applications, users can access the same contents both as a guest user and as a) A
0 -375.4 M
4.13216162 0 32 0 0 (authenticated users. In usual Web applications, it is implemented using Cookies and custom) A
0 -388.6 M
1.76790369 0 32 0 0 (form-based authentications. The new method of authentication described in this section provides a) A
0 -401.8 M
1.537642 0 32 0 0 (replacement for those authentication systems. The support for this extension is RECOMMENDED,) A
0 -415 M
(unless an authentication is mandatory for some specific applications. ) S
0 -439.2 M
1.46664667 0 32 0 0 (Servers MAY send HTTP successful responses \(response code 200, 206 and others\) containing the) A
0 -452.4 M
0.010516827 0 32 0 0 (Optional-WWW-Authenticate header, when it is allowed to send 401-B0 responses and the requests do) A
0 -465.6 M
4.15972233 0 32 0 0 (not contain Authentication-Info: headers. Such responses are hereafter called 200-Optional-B0) A
0 -478.8 M
(responses. ) S
0 -503 M
(HTTP/1.1 200 ) S
(OK) S
0 -516.2 M
(Optional-WWW-Authenticate: Mutual algorithm=xxxx, validation=xxxx, realm="xxxx", stale=0 ) S
0 -540.4 M
1.02253604 0 32 0 0 (The fields contained in the Optional-WWW-Authenticate header is the same as the 401-B0 message) A
0 -553.6 M
0.240559891 0 32 0 0 (described in ) A
0.240559891 0 32 0 0 (Section\2404.1) A
[/Rect [55.671875 -556.324219 107.160156 -544.224243] /Subtype /Link /Border [0 0 1] /Dest /19 /ANN pdfmark
0.240559891 0 32 0 0 (. The client software supporting the mutual authentication protocol receiving a) A
0 -566.8 M
0.12740384 0 32 0 0 (200-Optional-B0 message will process the contents of the message and enables an authentication input) A
0 -580 M
(field. ) S
0 -604.2 M
0.62109375 0 32 0 0 (When the user input the username and password, the client resends the request with a req-A1 header.) A
0 -617.4 M
1.39322913 0 32 0 0 (The server MUST respond with a 401-B1 message. In terms of the state management in ) A
1.39322913 0 32 0 0 (Section\2405) A
[/Rect [408.972656 -620.121094 452.210938 -608.021118] /Subtype /Link /Border [0 0 1] /Dest /31 /ANN pdfmark
1.39322913 0 32 0 0 (,) A
0 -630.6 M
1.33626306 0 32 0 0 (200-Optional-B0 responses are treated as if they were 401-B0 responses: these messages SHOULD) A
0 -643.8 M
0.525390625 0 32 0 0 (NOT be sent as a response to req-A1 and req-A3 messages, unless the authentication realm sent from) A
0 -657 M
(the client or indicated by sid is different from the one which the server expects. ) S
0 -657 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 20 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 21 21
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.07845056 0 32 0 0 (Servers requesting optional mutual authentication SHOULD send the path field in 401-B1 messages) A
0 -26.4 M
0.289417624 0 32 0 0 (with an appropriate value. Client software supporting optional mutual authentication MUST recognize) A
0 -39.6 M
0.0638786778 0 32 0 0 (the field, and MUST send either req-A1 or req-A3 request for the URI space inside the specified paths,) A
0 -52.8 M
(instead of unauthenticated requests. ) S
0 -63.8 M
[/View [/XYZ -4 693.203125 null] /Dest /62 /DEST pdfmark
0 -63.8 M
[/View [/XYZ -4 693.203125 null] /Dest /63 /DEST pdfmark
0 -82.8 M
%%IncludeResource: font Times-Bold
15 2 Nf
(13.) S
[/View [/XYZ -4 692.203125 null] /Dest /151 /DEST pdfmark
( Methods to extend this ) S
(protocol) S
0 -107 M
11 0 Nf
1.60044646 0 32 0 0 (If a non-standard extension to the this protocol is implemented, it MUST use the extension-tokens) A
0 -120.2 M
(defined in ) S
(Section\2403) S
[/Rect [46.0351562 -122.945312 89.2734375 -110.845314] /Subtype /Link /Border [0 0 1] /Dest /8 /ANN pdfmark
( to avoid conflicts with this protocol and other extensions. ) S
0 -144.4 M
1.13020837 0 32 0 0 (Authentication algorithms other than those defined in this document MAY use other representations) A
0 -157.6 M
0.8203125 0 32 0 0 (for keys "wa", "wb", "oa" and "ob", replace those keys, and/or add fields to the messages containing) A
0 -170.8 M
0.271205366 0 32 0 0 (those fields by supplemental specifications. If those specifications use keys other than shown above, it) A
0 -184 M
3.7252605 0 32 0 0 (is RECOMMENDED to use extension-tokens to avoid any key-name conflict with the future) A
0 -197.2 M
(extension of this protocol. ) S
0 -221.4 M
0.012019231 0 32 0 0 (Extension-tokens MAY be freely used for any non-standard, private and/or experimental uses for those) A
0 -234.6 M
(fields provided that the domain part in the token is appropriately used. ) S
0 -245.6 M
[/View [/XYZ -4 511.410156 null] /Dest /64 /DEST pdfmark
0 -245.6 M
[/View [/XYZ -4 511.410156 null] /Dest /65 /DEST pdfmark
0 -264.6 M
15 2 Nf
(14.) S
[/View [/XYZ -4 510.410156 null] /Dest /152 /DEST pdfmark
( IANA ) S
(Considerations) S
0 -288.8 M
11 0 Nf
0.774088562 0 32 0 0 (The tokens used for authentication-algorithm, pwd-hash, and validation fields MUST be allocated by) A
0 -302 M
0.659423828 0 32 0 0 (IANA. To acquire registered tokens, a specification for the use of such tokens MUST be available as) A
0 -315.2 M
(an RFC, as outlined in ) S
([RFC5226]) S
[/Rect [100.429688 -317.9375 152.535156 -305.837494] /Subtype /Link /Border [0 0 1] /Dest /98 /ANN pdfmark
(. ) S
0 -339.4 M
(Note: More formal declarations will be added in future drafts to meet RFC 5226 requirements. ) S
0 -350.4 M
[/View [/XYZ -4 406.613281 null] /Dest /66 /DEST pdfmark
0 -350.4 M
[/View [/XYZ -4 406.613281 null] /Dest /67 /DEST pdfmark
0 -369.4 M
15 2 Nf
(15.) S
[/View [/XYZ -4 405.613281 null] /Dest /153 /DEST pdfmark
( Security ) S
(Considerations) S
0 -376.9 M
[/View [/XYZ -4 380.113281 null] /Dest /68 /DEST pdfmark
0 -376.9 M
[/View [/XYZ -4 380.113281 null] /Dest /69 /DEST pdfmark
0 -399.4 M
15 2 Nf
(15.1.) S
[/View [/XYZ -4 375.613281 null] /Dest /154 /DEST pdfmark
( General ) S
(Assumptions) S
11 -420 M
gsave
0 setgray
newpath
11.0 -419.957031 2.75 0 360 arc
closepath
fill
grestore
22 -423.6 M
11 0 Nf
1.03027344 0 32 0 0 (The protocol is secure against passive eavesdropping and replay attacks. However, the protocol) A
22 -436.8 M
1.20735681 0 32 0 0 (relies on transport security including DNS security for active attacks. HTTP/TLS SHOULD be) A
22 -450 M
(used where transport security is not assured and data secrecy is important. ) S
11 -460.6 M
gsave
0 setgray
newpath
11.0 -460.554688 2.75 0 360 arc
closepath
fill
grestore
22 -464.2 M
1.96364188 0 32 0 0 (Used with HTTP/TLS, if TLS server certificates are reliably verified, the protocol gives true) A
22 -477.4 M
(protection against active man-in-the-middle attacks. ) S
11 -488 M
gsave
0 setgray
newpath
11.0 -487.953125 2.75 0 360 arc
closepath
fill
grestore
22 -491.6 M
1.55807292 0 32 0 0 (Even if the server certificate is not used or is unreliable, the protocol gives protection against) A
22 -504.8 M
1.015625 0 32 0 0 (active man-in-the-middle attacks for each HTTP request/response pair. However, in such cases,) A
22 -518 M
1.931108 0 32 0 0 (JavaScript or similar scripting facilities can be used to affect Mutually-authenticated contents) A
22 -531.2 M
0.858538 0 32 0 0 (from other contents not protected by this authentication mechanism. This is the reason why this) A
22 -544.4 M
(protocol requires that valid TLS server certificates MUST be presented ) S
(\() S
(Section\24010) S
[/Rect [340.433594 -547.128906 389.171875 -535.028931] /Subtype /Link /Border [0 0 1] /Dest /56 /ANN pdfmark
(\). ) S
0 -555.4 M
[/View [/XYZ -4 201.621094 null] /Dest /70 /DEST pdfmark
0 -555.4 M
[/View [/XYZ -4 201.621094 null] /Dest /71 /DEST pdfmark
0 -574.4 M
15 2 Nf
(15.2.) S
[/View [/XYZ -4 200.621094 null] /Dest /155 /DEST pdfmark
( Implementation ) S
(Considerations) S
11 -594.9 M
gsave
0 setgray
newpath
11.0 -594.949219 2.75 0 360 arc
closepath
fill
grestore
22 -598.6 M
11 0 Nf
2.0110085 0 32 0 0 (To securely implement the protocol, the Authentication-Info headers in the 200-B4 messages) A
22 -611.8 M
0.0461425781 0 32 0 0 (MUST always be validated by the client. If the validation is failed, the client MUST NOT process) A
22 -625 M
1.01088166 0 32 0 0 (any content sent with the message, including the body part. Non-compliance to this will enable) A
22 -638.2 M
(phishing attacks. ) S
11 -648.7 M
gsave
0 setgray
newpath
11.0 -648.746094 2.75 0 360 arc
closepath
fill
grestore
22 -652.4 M
1.88151038 0 32 0 0 (The authentication status on the client-side SHOULD be visible to the users of the client. In) A
22 -665.6 M
1.13671875 0 32 0 0 (addition, the method for asking user's name and passwords SHOULD be carefully designed so) A
22 -665.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 21 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 22 22
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.575892866 0 32 0 0 (that \(1\) the user can easily distinguish request of this authentication methods from other existing) A
22 -13.2 M
0.955653071 0.955653071 scale
0.0 -13.2 RM
11 0 Nf
(authentication methods such as Basic and Digest methods, and \(2\) the Web contents cannot imitate the) S
1.04640484 1.04640484 scale
22 -39 M
(user-interfaces of this protocol. ) S
22 -52.2 M
4.52587891 0 32 0 0 (An informational memo regarding user-interface considerations and recommendations for) A
22 -65.4 M
(implementing this protocol will be separately published. ) S
11 -76 M
gsave
0 setgray
newpath
11.0 -75.9804688 2.75 0 360 arc
closepath
fill
grestore
22 -79.6 M
2.05703115 0 32 0 0 (For HTTP/TLS communications, when a web form is submitted from Mutually-authenticated) A
22 -92.8 M
0.252757341 0 32 0 0 (pages with the validation methods of "tls-cert" to a URI which is protected by the same realm \(so) A
22 -92.8 M
0.981025636 0.981025636 scale
0.0 -13.2 RM
(indicated by the path field\), if server certificate has been changed since the pages has been received,) S
1.01934135 1.01934135 scale
22 -119 M
2.88341355 0 32 0 0 (the peer is RECOMMENDED to be revalidated using a req-A1 message with an "Expect:) A
22 -132.2 M
0.147321433 0 32 0 0 (100-continue" header. The same applies when the page is received with the validation methods of) A
22 -145.4 M
("tls-key", and when the TLS session has been expired. ) S
11 -155.9 M
gsave
0 setgray
newpath
11.0 -155.925781 2.75 0 360 arc
closepath
fill
grestore
22 -159.6 M
2.05649042 0 32 0 0 (Server-side storages of user passwords are advised to have the values encrypted by one-way) A
22 -172.8 M
(function J\(pi\), instead of the real passwords, those hashed by ph, or pi. ) S
0 -183.8 M
[/View [/XYZ -4 573.246094 null] /Dest /72 /DEST pdfmark
0 -183.8 M
[/View [/XYZ -4 573.246094 null] /Dest /73 /DEST pdfmark
0 -202.8 M
%%IncludeResource: font Times-Bold
15 2 Nf
(15.3.) S
[/View [/XYZ -4 572.246094 null] /Dest /156 /DEST pdfmark
( Usage ) S
(Considerations) S
11 -223.3 M
gsave
0 setgray
newpath
11.0 -223.324219 2.75 0 360 arc
closepath
fill
grestore
22 -227 M
11 0 Nf
2.14787936 0 32 0 0 (The user-names inputted by user may be sent automatically to any servers sharing the same) A
22 -240.2 M
0.949869812 0 32 0 0 (auth-domain. This means that when host-type auth-domain is used for authentication in HTTPS) A
22 -253.4 M
1.14817703 0 32 0 0 (site, and when an HTTP server on the same host requests Mutual authentication with the same) A
22 -266.6 M
0.388327211 0 32 0 0 (realm, the client will send the user-name in a clear text. If user-names have to kept secret against) A
22 -279.8 M
1.81835938 0 32 0 0 (eavesdropping, the server must use full-scheme-type auth-domain parameter. On the contrary,) A
22 -293 M
(passwords are not exposed to eavesdroppers even on HTTP requests. ) S
11 -303.5 M
gsave
0 setgray
newpath
11.0 -303.519531 2.75 0 360 arc
closepath
fill
grestore
22 -307.1 M
0.458007812 0 32 0 0 ("Pwd_hash" field is only provided for backward compatibility for password databases, and using) A
22 -320.3 M
0.743088961 0 32 0 0 ("none" function is the mostly secure choice and RECOMMENDED. If values other than "none") A
22 -333.5 M
1.06571686 0 32 0 0 (is used, you must ensure that the hash values of the passwords were not exposed to the public.) A
22 -346.7 M
1.92897725 0 32 0 0 (Note that hashed password databases for plain-text authentications are usually not considered) A
22 -359.9 M
(secret. ) S
11 -370.5 M
gsave
0 setgray
newpath
11.0 -370.515625 2.75 0 360 arc
closepath
fill
grestore
22 -374.1 M
0.296354175 0 32 0 0 (If the server provides several ways of storing server-side password database, it is advised to store) A
22 -387.3 M
0.00833333377 0 32 0 0 (the values encrypted by one-way function J\(pi\), instead of the real passwords, those hashed by ph,) A
22 -400.5 M
(or pi. ) S
0 -411.5 M
[/View [/XYZ -4 345.457031 null] /Dest /74 /DEST pdfmark
0 -411.5 M
[/View [/XYZ -4 345.457031 null] /Dest /75 /DEST pdfmark
0 -430.5 M
15 2 Nf
(16.) S
[/View [/XYZ -4 344.457031 null] /Dest /157 /DEST pdfmark
( Notice on intellectual ) S
(properties) S
0 -454.7 M
11 0 Nf
0.270432681 0 32 0 0 (The National Institute of Advanced Industrial Science and Technology \(AIST\) and Yahoo! Japan, Inc.) A
0 -467.9 M
1.53348219 0 32 0 0 (has jointly submitted a patent application about the protocol proposed in this documentation to the) A
0 -481.1 M
0.532769084 0 32 0 0 (Patent Office of Japan. The patent is intended to be open to any implementors of this protocol and its) A
0 -494.3 M
0.0552455373 0 32 0 0 (variants under non-exclusive royalty-free manner. For the detail of the patent application and its status,) A
0 -507.5 M
(please contact the author of this document. ) S
0 -531.7 M
5.14531231 0 32 0 0 (The elliptic-curve based authentication algorithms might involve several existing patents of) A
0 -544.9 M
1.55625 0 32 0 0 (third-parties. The authors of the document take no position regarding the validity or scope of such) A
0 -558.1 M
(patents, and other patents as well. ) S
0 -569.1 M
[/View [/XYZ -4 187.863281 null] /Dest /76 /DEST pdfmark
0 -569.1 M
[/View [/XYZ -4 187.863281 null] /Dest /77 /DEST pdfmark
0 -588.1 M
15 2 Nf
(17.) S
[/View [/XYZ -4 186.863281 null] /Dest /158 /DEST pdfmark
( ) S
(Acknowledgement) S
0 -612.3 M
11 0 Nf
0.727957606 0 32 0 0 (We gratefully acknowledge Lepidum, Co. Ltd. for support on design and trial implementation of this) A
0 -625.5 M
(protocol. ) S
0 -636.5 M
[/View [/XYZ -4 120.464844 null] /Dest /78 /DEST pdfmark
0 -636.5 M
[/View [/XYZ -4 120.464844 null] /Dest /79 /DEST pdfmark
0 -636.5 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 22 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 23 23
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(18.) S
[/View [/XYZ -4 757.0 null] /Dest /159 /DEST pdfmark
( ) S
(References) S
0 -25.5 M
[/View [/XYZ -4 731.5 null] /Dest /80 /DEST pdfmark
0 -48 M
15 2 Nf
(18.1.) S
[/View [/XYZ -4 727.0 null] /Dest /160 /DEST pdfmark
( Normative ) S
(References) S
8 -64.3 M
0.989260316 0.989260316 scale
-0.0 -11.0 RM
%%IncludeResource: font Times-Roman
11 0 Nf
([FIPS.180-2.2002]) S
[/View [/XYZ -4 842 null] /Dest /81 /DEST pdfmark
1.01085627 1.01085627 scale
105.6 -75.3 M
(National Institute of Standards and Technology, ) S
(\233) S
(Secure Hash ) S
(Standard) S
[/Rect [323.589844 -78.046875 422.707031 -65.9468765] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf)] Cd /ANN pdfmark
(,\234) S
105.6 -88.5 M
(FIPS\240PUB 180-2, ) S
(August\2402002.) S
8 -99.2 M
0.989260316 0.989260316 scale
-0.0 -11.0 RM
([FIPS.186-2.2000]) S
[/View [/XYZ -4 842 null] /Dest /82 /DEST pdfmark
1.01085627 1.01085627 scale
105.6 -110.2 M
(National Institute of Standards and Technology, ) S
(\233) S
(Digital Signature) S
[/Rect [323.589844 -112.996094 401.03125 -100.896095] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf)] Cd /ANN pdfmark
105.6 -123.4 M
(Standard ) S
(\(DSS\)) S
[/Rect [104.59375 -126.195312 175.925781 -114.095314] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://csrc.nist.gov/publications/fips/fips186-2/fips186-2-change1.pdf)] Cd /ANN pdfmark
(,\234 FIPS\240PUB 186-2, ) S
(January\2402000.) S
8 -145.2 M
([RFC2119]) S
[/View [/XYZ -4 842 null] /Dest /83 /DEST pdfmark
105.6 -145.2 M
(Bradner, ) S
(S.) S
(, ) S
(\233) S
(Key words for use in RFCs to Indicate Requirement ) S
(Levels) S
[/Rect [164.761719 -147.945312 427.910156 -135.845306] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2119)] Cd /ANN pdfmark
(,\234) S
105.6 -158.4 M
(BCP\24014, RFC\2402119, March\2401997 ) S
(\() S
(TXT) S
[/Rect [255.527344 -161.144531 278.90625 -149.044525] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (ftp://ftp.isi.edu/in-notes/rfc2119.txt)] Cd /ANN pdfmark
(, ) S
(HTML) S
[/Rect [282.40625 -161.144531 315.5625 -149.044525] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/html/rfc2119.html)] Cd /ANN pdfmark
(, ) S
(XML) S
[/Rect [319.0625 -161.144531 345.5 -149.044525] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/xml/rfc2119.xml)] Cd /ANN pdfmark
(\).) S
8 -180.1 M
([RFC2818]) S
[/View [/XYZ -4 842 null] /Dest /84 /DEST pdfmark
105.6 -180.1 M
(Rescorla, E., ) S
(\233) S
(HTTP Over ) S
(TLS) S
[/Rect [168.421875 -182.894531 244.949219 -170.794525] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2818)] Cd /ANN pdfmark
(,\234 RFC\2402818, May\2402000 ) S
(\() S
(TXT) S
[/Rect [355.6875 -182.894531 379.066406 -170.794525] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (ftp://ftp.isi.edu/in-notes/rfc2818.txt)] Cd /ANN pdfmark
(\).) S
8 -201.9 M
([RFC3526]) S
[/View [/XYZ -4 842 null] /Dest /85 /DEST pdfmark
105.6 -201.9 M
(Kivinen, T. and M. Kojo, ) S
(\233) S
(More Modular Exponential \(MODP\)) S
[/Rect [224.035156 -204.644531 388.222656 -192.544525] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc3526)] Cd /ANN pdfmark
105.6 -215.1 M
(Diffie-Hellman groups for Internet Key Exchange ) S
(\(IKE\)) S
[/Rect [104.59375 -217.84375 355.164062 -205.743744] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc3526)] Cd /ANN pdfmark
(,\234 RFC\2403526,) S
105.6 -228.3 M
(May\2402003 ) S
(\() S
(TXT) S
[/Rect [155.914062 -231.042969 179.292969 -218.942963] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (ftp://ftp.isi.edu/in-notes/rfc3526.txt)] Cd /ANN pdfmark
(\).) S
8 -250 M
([RFC3629]) S
[/View [/XYZ -4 842 null] /Dest /86 /DEST pdfmark
105.6 -250 M
(Yergeau, F., ) S
(\233) S
(UTF-8, a transformation format of ISO ) S
(10646) S
[/Rect [166.589844 -252.792969 371.085938 -240.692963] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc3629)] Cd /ANN pdfmark
(,\234 STD\24063,) S
105.6 -263.2 M
(RFC\2403629, November\2402003 ) S
(\() S
(TXT) S
[/Rect [233.210938 -265.992188 256.589844 -253.892181] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (ftp://ftp.isi.edu/in-notes/rfc3629.txt)] Cd /ANN pdfmark
(\).) S
8 -285 M
([RFC4648]) S
[/View [/XYZ -4 842 null] /Dest /87 /DEST pdfmark
105.6 -285 M
(Josefsson, S., ) S
(\233) S
(The Base16, Base32, and Base64 Data ) S
(Encodings) S
[/Rect [171.492188 -287.742188 392.808594 -275.642181] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc4648)] Cd /ANN pdfmark
(,\234) S
105.6 -298.2 M
(RFC\2404648, October\2402006 ) S
(\() S
(TXT) S
[/Rect [222.210938 -300.941406 245.589844 -288.8414] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (ftp://ftp.isi.edu/in-notes/rfc4648.txt)] Cd /ANN pdfmark
(\).) S
8 -319.9 M
([RFC5234]) S
[/View [/XYZ -4 842 null] /Dest /88 /DEST pdfmark
105.6 -319.9 M
(Crocker, D. and P. Overell, ) S
(\233) S
(Augmented BNF for Syntax Specifications: ) S
[/Rect [232.5625 -322.691406 429.746094 -310.5914] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5234)] Cd /ANN pdfmark
105.6 -333.1 M
(ABNF) S
[/Rect [104.59375 -335.890625 135.925781 -323.790619] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5234)] Cd /ANN pdfmark
(,\234 STD\24068, RFC\2405234, January\2402008 ) S
(\() S
(TXT) S
[/Rect [300.730469 -335.890625 324.109375 -323.790619] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (ftp://ftp.isi.edu/in-notes/rfc5234.txt)] Cd /ANN pdfmark
(\).) S
8 -354.9 M
([RFC5246]) S
[/View [/XYZ -4 842 null] /Dest /89 /DEST pdfmark
105.6 -354.9 M
(Dierks, T. and E. Rescorla, ) S
(\233) S
(The Transport Layer Security \(TLS\) Protocol) S
[/Rect [231.339844 -357.640625 433.375 -345.540619] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5246)] Cd /ANN pdfmark
105.6 -368.1 M
(Version ) S
(1.2) S
[/Rect [104.59375 -370.839844 157.910156 -358.739838] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5246)] Cd /ANN pdfmark
(,\234 RFC\2405246, August\2402008 ) S
(\() S
(TXT) S
[/Rect [280.261719 -370.839844 303.640625 -358.739838] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (ftp://ftp.isi.edu/in-notes/rfc5246.txt)] Cd /ANN pdfmark
(\).) S
0 -387.8 M
[/View [/XYZ -4 369.160156 null] /Dest /90 /DEST pdfmark
0 -406.8 M
15 2 Nf
(18.2.) S
[/View [/XYZ -4 368.160156 null] /Dest /161 /DEST pdfmark
( Informative ) S
(References) S
8 -423.1 M
0.98958987 0.98958987 scale
-0.0 -11.0 RM
11 0 Nf
([I-D.altman-tls-channel-bindings]) S
[/View [/XYZ -4 842 null] /Dest /91 /DEST pdfmark
1.01051962 1.01051962 scale
171.2 -434.1 M
(Altman, J., Williams, N., and L. Zhu, ) S
(\233) S
(Channel Bindings for ) S
[/Rect [342.144531 -436.886719 441.59375 -424.786713] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-altman-tls-channel-bindings-05.txt)] Cd /ANN pdfmark
171.2 -447.3 M
(TLS) S
[/Rect [170.167969 -450.085938 191.71875 -437.985931] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-altman-tls-channel-bindings-05.txt)] Cd /ANN pdfmark
(,\234 draft-altman-tls-channel-bindings-05 \(work in) S
171.2 -460.5 M
(progress\), June\2402009 ) S
(\() S
(TXT) S
[/Rect [267.90625 -463.285156 291.285156 -451.18515] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-altman-tls-channel-bindings-05.txt)] Cd /ANN pdfmark
(\).) S
8 -482.3 M
([ISO.10646-1.1993]) S
[/View [/XYZ -4 842 null] /Dest /92 /DEST pdfmark
171.2 -482.3 M
(International Organization for Standardization, \233Information) S
171.2 -495.5 M
(Technology - Universal Multiple-octet coded Character Set) S
171.2 -508.7 M
(\(UCS\) - Part 1: Architecture and Basic Multilingual Plane,\234) S
171.2 -521.9 M
(ISO\240Standard 10646-1, ) S
(May\2401993.) S
8 -543.6 M
([ISO.11770-4.2006]) S
[/View [/XYZ -4 842 null] /Dest /93 /DEST pdfmark
171.2 -543.6 M
(International Organization for Standardization, \233Information) S
171.2 -556.8 M
(technology \235 Security techniques \235 Key management \235 Part) S
171.2 -570 M
(4: Mechanisms based on weak secrets,\234 ISO\240Standard) S
171.2 -583.2 M
(11770-4, ) S
(May\2402006.) S
8 -605 M
([ITU.X690.1994]) S
[/View [/XYZ -4 842 null] /Dest /94 /DEST pdfmark
171.2 -605 M
(International Telecommunications Union, \233Information) S
171.2 -618.2 M
(Technology - ASN.1 encoding rules: Specification of Basic) S
171.2 -631.4 M
(Encoding Rules \(BER\), Canonical Encoding Rules \(CER\)) S
171.2 -644.6 M
(and Distinguished Encoding Rules \(DER\),\234) S
171.2 -657.8 M
(ITU-T\240Recommendation X.690, ) S
(1994.) S
171.2 -657.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 23 -) S
0 setgray
342.3 -8 M
grestore
pgsave restore N
%%Page: 24 24
%%PageResources: font Times-Roman Times-Bold Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
8 -13 M
%%IncludeResource: font Times-Roman
11 0 Nf
([RFC2616]) S
[/View [/XYZ -4 842 null] /Dest /95 /DEST pdfmark
171.2 -13 M
(Fielding, ) S
(R.) S
(, ) S
(Gettys, ) S
(J.) S
(, ) S
(Mogul, ) S
(J.) S
(, ) S
(Frystyk, ) S
(H.) S
(, ) S
(Masinter, ) S
(L.) S
(, ) S
171.2 -26.2 M
(Leach, ) S
(P.) S
(, and ) S
(T. ) S
(Berners-Lee) S
(, ) S
(\233) S
(Hypertext Transfer Protocol) S
[/Rect [312.476562 -28.9492188 438.460938 -16.8492184] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2616)] Cd /ANN pdfmark
171.2 -39.4 M
(-- ) S
(HTTP/1.1) S
[/Rect [170.167969 -42.1484375 226.535156 -30.0484371] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2616)] Cd /ANN pdfmark
(,\234 RFC\2402616, June\2401999 ) S
(\() S
(TXT) S
[/Rect [337.273438 -42.1484375 360.652344 -30.0484371] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (ftp://ftp.isi.edu/in-notes/rfc2616.txt)] Cd /ANN pdfmark
(, ) S
(PS) S
[/Rect [364.152344 -42.1484375 378.378906 -30.0484371] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (ftp://ftp.isi.edu/in-notes/rfc2616.ps)] Cd /ANN pdfmark
(, ) S
(PDF) S
[/Rect [381.878906 -42.1484375 404.046875 -30.0484371] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (ftp://ftp.isi.edu/in-notes/rfc2616.pdf)] Cd /ANN pdfmark
(, ) S
171.2 -52.6 M
(HTML) S
[/Rect [170.167969 -55.3476562 203.324219 -43.2476578] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/html/rfc2616.html)] Cd /ANN pdfmark
(, ) S
(XML) S
[/Rect [206.824219 -55.3476562 233.261719 -43.2476578] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/xml/rfc2616.xml)] Cd /ANN pdfmark
(\).) S
8 -74.3 M
([RFC2617]) S
[/View [/XYZ -4 842 null] /Dest /96 /DEST pdfmark
171.2 -74.3 M
(Franks, ) S
(J.) S
(, ) S
(Hallam-Baker, ) S
(P.) S
(, ) S
(Hostetler, ) S
(J.) S
(, ) S
(Lawrence, ) S
(S.) S
(, ) S
171.2 -87.5 M
(Leach, ) S
(P.) S
(, Luotonen, A., and ) S
(L. ) S
(Stewart) S
(, ) S
(\233) S
(HTTP) S
[/Rect [355.570312 -90.296875 385.0625 -78.1968765] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2617)] Cd /ANN pdfmark
171.2 -100.7 M
(Authentication: Basic and Digest Access ) S
(Authentication) S
[/Rect [170.167969 -103.496094 419.871094 -91.3960953] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2617)] Cd /ANN pdfmark
(,\234) S
171.2 -113.9 M
(RFC\2402617, June\2401999 ) S
(\() S
(TXT) S
[/Rect [272.523438 -116.695312 295.902344 -104.595314] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (ftp://ftp.isi.edu/in-notes/rfc2617.txt)] Cd /ANN pdfmark
(, ) S
(HTML) S
[/Rect [299.402344 -116.695312 332.558594 -104.595314] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/html/rfc2617.html)] Cd /ANN pdfmark
(, ) S
(XML) S
[/Rect [336.058594 -116.695312 362.496094 -104.595314] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/xml/rfc2617.xml)] Cd /ANN pdfmark
(\).) S
8 -135.7 M
([RFC3492]) S
[/View [/XYZ -4 842 null] /Dest /97 /DEST pdfmark
171.2 -135.7 M
(Costello, A., ) S
(\233) S
(Punycode: A Bootstring encoding of Unicode) S
[/Rect [233.402344 -138.445312 436.707031 -126.345314] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc3492)] Cd /ANN pdfmark
171.2 -148.9 M
(for Internationalized Domain Names in Applications ) S
[/Rect [170.167969 -151.644531 406.726562 -139.544525] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (ftp://ftp.isi.edu/in-notes/rfc3492.txt)] Cd /ANN pdfmark
171.2 -162.1 M
(\(IDNA\)) S
[/Rect [170.167969 -164.84375 206.972656 -152.743744] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc3492)] Cd /ANN pdfmark
(,\234 RFC\2403492, March\2402003 ) S
(\() S
(TXT) S
[/Rect [326.253906 -164.84375 349.632812 -152.743744] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (ftp://ftp.isi.edu/in-notes/rfc3492.txt)] Cd /ANN pdfmark
(\).) S
8 -183.8 M
([RFC5226]) S
[/View [/XYZ -4 842 null] /Dest /98 /DEST pdfmark
171.2 -183.8 M
(Narten, T. and H. Alvestrand, ) S
(\233) S
(Guidelines for Writing an) S
[/Rect [308.519531 -186.59375 423.828125 -174.493744] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5226)] Cd /ANN pdfmark
171.2 -197 M
(IANA Considerations Section in ) S
(RFCs) S
[/Rect [170.167969 -199.792969 343.238281 -187.692963] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5226)] Cd /ANN pdfmark
(,\234 BCP\24026, RFC\2405226,) S
171.2 -210.2 M
(May\2402008 ) S
(\() S
(TXT) S
[/Rect [221.488281 -212.992188 244.867188 -200.892181] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (ftp://ftp.isi.edu/in-notes/rfc5226.txt)] Cd /ANN pdfmark
(\).) S
8 -232 M
([RFC5280]) S
[/View [/XYZ -4 842 null] /Dest /99 /DEST pdfmark
171.2 -232 M
(Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley,) S
171.2 -245.2 M
(R., and W. Polk, ) S
(\233) S
(Internet X.509 Public Key Infrastructure) S
[/Rect [250.820312 -247.941406 431.472656 -235.8414] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5280)] Cd /ANN pdfmark
171.2 -258.4 M
(Certificate and Certificate Revocation List \(CRL\) ) S
(Profile) S
[/Rect [170.167969 -261.140625 423.199219 -249.040619] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5280)] Cd /ANN pdfmark
(,\234) S
171.2 -271.6 M
(RFC\2405280, May\2402008 ) S
(\() S
(TXT) S
[/Rect [272.523438 -274.339844 295.902344 -262.239838] /Subtype /Link /Border [0 0 1] /Action [/Subtype /URI /URI (ftp://ftp.isi.edu/in-notes/rfc5280.txt)] Cd /ANN pdfmark
(\).) S
0 -291.3 M
[/View [/XYZ -4 465.660156 null] /Dest /100 /DEST pdfmark
0 -291.3 M
[/View [/XYZ -4 465.660156 null] /Dest /101 /DEST pdfmark
0 -310.3 M
%%IncludeResource: font Times-Bold
15 2 Nf
(Appendix) S
[/View [/XYZ -4 464.660156 null] /Dest /162 /DEST pdfmark
( A. Group parameters for discrete-logarithm based ) S
0 -328.3 M
(algorithms) S
0 -352.5 M
11 0 Nf
(The MODP group used for the iso11770-4-dl-2048 algorithm is defined by the following ) S
(parameters.) S
0 -376.7 M
(The prime ) S
(is:) S
0 -398.5 M
%%IncludeResource: font Courier
9.0 4 Nf
( q = 0xFFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1) S
0 -409.3 M
( 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD) S
0 -420.1 M
( EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245) S
0 -430.9 M
( E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED) S
0 -441.7 M
( EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D) S
0 -452.5 M
( C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F) S
0 -463.3 M
( 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D) S
0 -474.1 M
( 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B) S
0 -484.9 M
( E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9) S
0 -495.7 M
( DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510) S
0 -506.5 M
( 15728E5A 8AACAA68 FFFFFFFF FFFFFFFF.) S
0 -530.7 M
11 0 Nf
(The generator ) S
(is:) S
0 -552.5 M
9.0 4 Nf
( g = 2.) S
0 -576.7 M
11 0 Nf
(The size of the subgroup generated by g ) S
(is:) S
0 -587.7 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 24 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 25 25
%%PageResources: font Times-Roman Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -10.8 M
%%IncludeResource: font Courier
9.0 4 Nf
( r = \(q - 1\) / 2 =) S
0 -21.6 M
( 0x7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68) S
0 -32.4 M
( 94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E) S
0 -43.2 M
( F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122) S
0 -54 M
( F242DABB 312F3F63 7A262174 D31BF6B5 85FFAE5B 7A035BF6) S
0 -64.8 M
( F71C35FD AD44CFD2 D74F9208 BE258FF3 24943328 F6722D9E) S
0 -75.6 M
( E1003E5C 50B1DF82 CC6D241B 0E2AE9CD 348B1FD4 7E9267AF) S
0 -86.4 M
( C1B2AE91 EE51D6CB 0E3179AB 1042A95D CF6A9483 B84B4B36) S
0 -97.2 M
( B3861AA7 255E4C02 78BA3604 650C10BE 19482F23 171B671D) S
0 -108 M
( F1CF3B96 0C074301 CD93C1D1 7603D147 DAE2AEF8 37A62964) S
0 -118.8 M
( EF15E5FB 4AAC0B8C 1CCAA4BE 754AB572 8AE9130C 4C7D0288) S
0 -129.6 M
( 0AB9472D 45565534 7FFFFFFF FFFFFFFF.) S
0 -153.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The MODP group used for the iso11770-4-dl-4096 algorithm is defined by the following ) S
(parameters.) S
0 -178 M
(The prime ) S
(is:) S
0 -199.8 M
9.0 4 Nf
( q = 0xFFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1) S
0 -210.6 M
( 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD) S
0 -221.4 M
( EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245) S
0 -232.2 M
( E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED) S
0 -242.9 M
( EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D) S
0 -253.7 M
( C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F) S
0 -264.5 M
( 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D) S
0 -275.3 M
( 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B) S
0 -286.1 M
( E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9) S
0 -296.9 M
( DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510) S
0 -307.7 M
( 15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64) S
0 -318.5 M
( ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7) S
0 -329.3 M
( ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B) S
0 -340.1 M
( F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C) S
0 -350.9 M
( BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31) S
0 -361.7 M
( 43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7) S
0 -372.5 M
( 88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA) S
0 -383.3 M
( 2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6) S
0 -394.1 M
( 287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED) S
0 -404.9 M
( 1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9) S
0 -415.7 M
( 93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199) S
0 -426.5 M
( FFFFFFFF FFFFFFFF.) S
0 -450.7 M
11 0 Nf
(The generator ) S
(is:) S
0 -472.5 M
9.0 4 Nf
( g = 2.) S
0 -496.7 M
11 0 Nf
(The size of the subgroup generated by g ) S
(is:) S
0 -518.5 M
9.0 4 Nf
( r = \(q - 1\) / 2 =) S
0 -529.3 M
( 0x7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68) S
0 -540.1 M
( 94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E) S
0 -550.9 M
( F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122) S
0 -561.7 M
( F242DABB 312F3F63 7A262174 D31BF6B5 85FFAE5B 7A035BF6) S
0 -572.5 M
( F71C35FD AD44CFD2 D74F9208 BE258FF3 24943328 F6722D9E) S
0 -583.3 M
( E1003E5C 50B1DF82 CC6D241B 0E2AE9CD 348B1FD4 7E9267AF) S
0 -594.1 M
( C1B2AE91 EE51D6CB 0E3179AB 1042A95D CF6A9483 B84B4B36) S
0 -604.9 M
( B3861AA7 255E4C02 78BA3604 650C10BE 19482F23 171B671D) S
0 -615.7 M
( F1CF3B96 0C074301 CD93C1D1 7603D147 DAE2AEF8 37A62964) S
0 -626.5 M
( EF15E5FB 4AAC0B8C 1CCAA4BE 754AB572 8AE9130C 4C7D0288) S
0 -637.3 M
( 0AB9472D 45556216 D6998B86 82283D19 D42A90D5 EF8E5D32) S
0 -648 M
( 767DC282 2C6DF785 457538AB AE83063E D9CB87C2 D370F263) S
0 -658.8 M
( D5FAD746 6D8499EB 8F464A70 2512B0CE E771E913 0D697735) S
0 -669.6 M
( F897FD03 6CC50432 6C3B0139 9F643532 290F958C 0BBD9006) S
0 -669.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 25 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 26 26
%%PageResources: font Times-Roman Times-Bold Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -10.8 M
%%IncludeResource: font Courier
9.0 4 Nf
( 5DF08BAB BD30AEB6 3B84C460 5D6CA371 047127D0 3A72D598) S
0 -21.6 M
9.0 4 Nf
( A1EDADFE 707E8847 25C16890 54908400 8D391E09 53C3F36B) S
0 -32.4 M
( C438CD08 5EDD2D93 4CE1938C 357A711E 0D4A341A 5B0A85ED) S
0 -43.2 M
( 12C1F4E5 156A2674 6DDDE16D 826F477C 97477E0A 0FDF6553) S
0 -54 M
( 143E2CA3 A735E02E CCD94B27 D04861D1 119DD0C3 28ADF3F6) S
0 -64.8 M
( 8FB094B8 67716BD7 DC0DEEBB 10B8240E 68034893 EAD82D54) S
0 -75.6 M
( C9DA754C 46C7EEE0 C37FDBEE 48536047 A6FA1AE4 9A0318CC) S
0 -86.4 M
( FFFFFFFF FFFFFFFF.) S
0 -95.4 M
[/View [/XYZ -4 661.625 null] /Dest /102 /DEST pdfmark
0 -95.4 M
[/View [/XYZ -4 661.625 null] /Dest /103 /DEST pdfmark
0 -116.4 M
%%IncludeResource: font Times-Bold
15 2 Nf
(Appendix) S
[/View [/XYZ -4 658.625 null] /Dest /163 /DEST pdfmark
( B. Derived numerical ) S
(values) S
0 -140.6 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.37379813 0 32 0 0 (This section gives several numerical values for implementing this protocol, derived from the above) A
0 -153.8 M
(specifications. The values shown in this section are for informative purpose only. ) S
195.8 -182.1 M
11 2 Nf
(dl-2048) S
236.7 -182.1 M
11 2 Nf
(dl-4096) S
277.7 -182.1 M
11 2 Nf
(ec-p256) S
319.8 -182.1 M
11 2 Nf
(ec-p521) S
59 -201.8 M
11 0 Nf
(Size of w_A ) S
(etc.) S
195.8 -201.8 M
(2048) S
236.7 -201.8 M
(4096) S
277.7 -201.8 M
(257) S
319.8 -201.8 M
(522) S
361.9 -201.8 M
(\(bits\)) S
59 -221.6 M
(Size of ) S
(H\(...\)) S
195.8 -221.6 M
(256) S
236.7 -221.6 M
(512) S
277.7 -221.6 M
(256) S
319.8 -221.6 M
(512) S
361.9 -221.6 M
(\(bits\)) S
59 -241.3 M
(length of OCTETS\(w_A\) ) S
(etc.) S
195.8 -241.3 M
(256) S
236.7 -241.3 M
(512) S
277.7 -241.3 M
(33) S
319.8 -241.3 M
(66) S
361.9 -241.3 M
(\(octets\)) S
59 -261.1 M
(length of wa, wb field ) S
(values.) S
195.8 -261.1 M
(346 ) S
(*) S
236.7 -261.1 M
(686 ) S
(*) S
277.7 -261.1 M
(66) S
319.8 -261.1 M
(132) S
361.9 -261.1 M
(\(octets\)) S
59 -280.8 M
(length of oa, ob field ) S
(values.) S
195.8 -280.8 M
(46 ) S
(*) S
236.7 -280.8 M
(90 ) S
(*) S
277.7 -280.8 M
(64) S
319.8 -280.8 M
(128) S
361.9 -280.8 M
(\(octets\)) S
59 -300.6 M
(minimum allowed ) S
(s_A) S
195.8 -300.6 M
(2048) S
236.7 -300.6 M
(4096) S
277.7 -300.6 M
(1) S
319.8 -300.6 M
(1) S
361.9 -300.6 M
(\240) S
0 -330.5 M
11 0 Nf
(\(The numbers marked with * include enclosing quotation ) S
(marks.\)) S
0 -341.5 M
[/View [/XYZ -4 415.480469 null] /Dest /104 /DEST pdfmark
0 -341.5 M
[/View [/XYZ -4 415.480469 null] /Dest /105 /DEST pdfmark
0 -360.5 M
15 2 Nf
(Appendix) S
[/View [/XYZ -4 414.480469 null] /Dest /164 /DEST pdfmark
( C. Draft Remarks from the ) S
(Authors) S
0 -384.7 M
11 0 Nf
(The following items are currently under consideration for future revisions by the authors. ) S
11 -405.3 M
gsave
0 setgray
newpath
11.0 -405.289062 2.75 0 360 arc
closepath
fill
grestore
22 -408.9 M
6.51904297 0 32 0 0 (Whether to use ) A
6.51904297 0 32 0 0 ("TLS channel ) A
6.51904297 0 32 0 0 (binding") A
[/Rect [109.875 -411.667969 226.738281 -399.567963] /Subtype /Link /Border [0 0 1] /Dest /91 /ANN pdfmark
6.51904297 0 32 0 0 ( [I-D.altman-tls-channel-bindings] for "tls-key") A
22 -422.1 M
2.14808249 0 32 0 0 (verification ) A
2.14808249 0 32 0 0 (\() A
2.14808249 0 32 0 0 (Section\24010) A
[/Rect [80.2421875 -424.867188 128.980469 -412.767181] /Subtype /Link /Border [0 0 1] /Dest /56 /ANN pdfmark
2.14808249 0 32 0 0 (\). Note that existing implementations of TLS should be considered to) A
22 -435.3 M
(determine ) S
(this.) S
0 -446.3 M
[/View [/XYZ -4 310.683594 null] /Dest /106 /DEST pdfmark
0 -446.3 M
[/View [/XYZ -4 310.683594 null] /Dest /107 /DEST pdfmark
0 -465.3 M
15 2 Nf
(Appendix) S
[/View [/XYZ -4 309.683594 null] /Dest /165 /DEST pdfmark
( D. Draft Change ) S
(Log) S
0 -472.8 M
[/View [/XYZ -4 284.183594 null] /Dest /108 /DEST pdfmark
0 -472.8 M
[/View [/XYZ -4 284.183594 null] /Dest /109 /DEST pdfmark
0 -495.3 M
15 2 Nf
(D.1.) S
[/View [/XYZ -4 279.683594 null] /Dest /166 /DEST pdfmark
( Changes in revision ) S
(05) S
11 -515.9 M
gsave
0 setgray
newpath
11.0 -515.886719 2.75 0 360 arc
closepath
fill
grestore
22 -519.5 M
11 0 Nf
3.47806501 0 32 0 0 (A new field "version" is added for supporting future incompatible changes with a single) A
22 -532.7 M
(implementation. In the \(first\) final specification its value will be changed to 1. ) S
11 -543.3 M
gsave
0 setgray
newpath
11.0 -543.285156 2.75 0 360 arc
closepath
fill
grestore
22 -546.9 M
6.18185759 0 32 0 0 (A new header "Authentication-Control" added for precise control of application-level) A
22 -560.1 M
(authentication ) S
(behavior.) S
0 -571.1 M
[/View [/XYZ -4 185.886719 null] /Dest /110 /DEST pdfmark
0 -571.1 M
[/View [/XYZ -4 185.886719 null] /Dest /111 /DEST pdfmark
0 -590.1 M
15 2 Nf
(D.2.) S
[/View [/XYZ -4 184.886719 null] /Dest /167 /DEST pdfmark
( Changes in revision ) S
(04) S
11 -610.7 M
gsave
0 setgray
newpath
11.0 -610.683594 2.75 0 360 arc
closepath
fill
grestore
22 -614.3 M
11 0 Nf
0.166145831 0 32 0 0 (Changed text of patent licenses: the phrase "once the protocol is accepted as an Internet standard") A
22 -627.5 M
(is removed so that the sentence also covers the draft versions of this protocol. ) S
11 -638.1 M
gsave
0 setgray
newpath
11.0 -638.082031 2.75 0 360 arc
closepath
fill
grestore
22 -641.7 M
(The "tls-key" verification is now OPTIONAL. ) S
11 -652.3 M
gsave
0 setgray
newpath
11.0 -652.28125 2.75 0 360 arc
closepath
fill
grestore
22 -655.9 M
(Several description fixes and ) S
(clarifications.) S
0 -655.9 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 26 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 27 27
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /112 /DEST pdfmark
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /113 /DEST pdfmark
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(D.3.) S
[/View [/XYZ -4 757.0 null] /Dest /168 /DEST pdfmark
( Changes in revision ) S
(03) S
11 -38.6 M
gsave
0 setgray
newpath
11.0 -38.5703125 2.75 0 360 arc
closepath
fill
grestore
22 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.63454866 0 32 0 0 (Wildcard domain specifications \(e.g. "*.example.com"\) is allowed for auth-domain parameters ) A
22 -55.4 M
(\() S
(Section\2404.1) S
[/Rect [24.6601562 -58.1484375 76.1484375 -46.048439] /Subtype /Link /Border [0 0 1] /Dest /19 /ANN pdfmark
(\). ) S
11 -66 M
gsave
0 setgray
newpath
11.0 -65.96875 2.75 0 360 arc
closepath
fill
grestore
22 -69.6 M
(Specification of the "tls-host" verification is updated \(incompatible change\). ) S
11 -80.2 M
gsave
0 setgray
newpath
11.0 -80.1679688 2.75 0 360 arc
closepath
fill
grestore
22 -83.8 M
(State transitions fixed. ) S
11 -94.4 M
gsave
0 setgray
newpath
11.0 -94.3671875 2.75 0 360 arc
closepath
fill
grestore
22 -98 M
(Requirements for servers about w_a values clarified. ) S
11 -108.6 M
gsave
0 setgray
newpath
11.0 -108.566406 2.75 0 360 arc
closepath
fill
grestore
22 -112.2 M
(RFC references are ) S
(updated.) S
0 -123.2 M
[/View [/XYZ -4 633.804688 null] /Dest /114 /DEST pdfmark
0 -123.2 M
[/View [/XYZ -4 633.804688 null] /Dest /115 /DEST pdfmark
0 -142.2 M
15 2 Nf
(D.4.) S
[/View [/XYZ -4 632.804688 null] /Dest /169 /DEST pdfmark
( Changes in revision ) S
(02) S
11 -162.8 M
gsave
0 setgray
newpath
11.0 -162.765625 2.75 0 360 arc
closepath
fill
grestore
22 -166.4 M
11 0 Nf
(Auth-realm is extended to allow full-scheme type. ) S
11 -177 M
gsave
0 setgray
newpath
11.0 -176.964844 2.75 0 360 arc
closepath
fill
grestore
22 -180.6 M
(A decision diagram for clients and decision procedures for servers are added. ) S
11 -191.2 M
gsave
0 setgray
newpath
11.0 -191.164062 2.75 0 360 arc
closepath
fill
grestore
22 -194.8 M
(401-B1 and req-A3 messages is changed to have authentication realm information. ) S
11 -205.4 M
gsave
0 setgray
newpath
11.0 -205.363281 2.75 0 360 arc
closepath
fill
grestore
22 -209 M
(Bugs on equations for o_A and o_B is fixed. ) S
11 -219.6 M
gsave
0 setgray
newpath
11.0 -219.5625 2.75 0 360 arc
closepath
fill
grestore
22 -223.2 M
(Detailed equations for the whole algorithm is included. ) S
11 -233.8 M
gsave
0 setgray
newpath
11.0 -233.761719 2.75 0 360 arc
closepath
fill
grestore
22 -237.4 M
(Elliptic-curve algorithms are updated. ) S
11 -248 M
gsave
0 setgray
newpath
11.0 -247.960938 2.75 0 360 arc
closepath
fill
grestore
22 -251.6 M
(Several clarifications and other minor ) S
(updates.) S
0 -262.6 M
[/View [/XYZ -4 494.410156 null] /Dest /116 /DEST pdfmark
0 -281.6 M
15 2 Nf
(Authors') S
[/View [/XYZ -4 493.410156 null] /Dest /170 /DEST pdfmark
( ) S
(Addresses) S
0 -306.9 M
11 0 Nf
(\240) S
46.2 -306.9 M
(Yutaka ) S
(Oiwa) S
0 -320.6 M
(\240) S
46.2 -320.6 M
(National Institute of Advanced Industrial Science and ) S
(Technology) S
0 -334.4 M
(\240) S
46.2 -334.4 M
(Research Center for Information ) S
(Security) S
0 -348.1 M
(\240) S
46.2 -348.1 M
(Akihabara Daibiru ) S
(#1003) S
0 -361.9 M
(\240) S
46.2 -361.9 M
(1-18-13 ) S
(Sotokanda) S
0 -375.6 M
(\240) S
46.2 -375.6 M
(Chiyoda-ku, ) S
(Tokyo) S
0 -389.4 M
(\240) S
46.2 -389.4 M
(JP) S
12.9 -403.1 M
(Phone:\240) S
46.2 -403.1 M
(+81 ) S
(3-5298-4722) S
14.1 -416.9 M
(Email:\240) S
46.2 -416.9 M
(mutual-auth-contact@m.aist.go.jp) S
0 -430.6 M
(\240) S
46.2 -430.6 M
(\240) S
0 -444.4 M
(\240) S
46.2 -444.4 M
(Hajime ) S
(Watanabe) S
0 -458.1 M
(\240) S
46.2 -458.1 M
(National Institute of Advanced Industrial Science and ) S
(Technology) S
0 -471.9 M
(\240) S
46.2 -471.9 M
(\240) S
0 -485.6 M
(\240) S
46.2 -485.6 M
(Hiromitsu ) S
(Takagi) S
0 -499.4 M
(\240) S
46.2 -499.4 M
(National Institute of Advanced Industrial Science and ) S
(Technology) S
0 -513.1 M
(\240) S
46.2 -513.1 M
(\240) S
0 -526.9 M
(\240) S
46.2 -526.9 M
(Hirofumi ) S
(Suzuki) S
0 -540.6 M
(\240) S
46.2 -540.6 M
(Yahoo! Japan, ) S
(Inc.) S
0 -554.4 M
(\240) S
46.2 -554.4 M
(Midtown ) S
(Tower) S
0 -568.1 M
(\240) S
46.2 -568.1 M
(9-7-1 ) S
(Akasaka) S
0 -581.9 M
(\240) S
46.2 -581.9 M
(Minato-ku, ) S
(Tokyo) S
0 -595.6 M
(\240) S
46.2 -595.6 M
(JP) S
12.9 -609.4 M
(Phone:\240) S
46.2 -609.4 M
(+81 ) S
(3-6440-6290) S
0 -623.1 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 27 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%EOF
| PAFTECH AB 2003-2026 | 2026-04-24 19:33:06 |