One document matched: draft-oiwa-http-mutualauth-07.ps
%!PS-Adobe-3.0
%%Title: Mutual Authentication Protocol for HTTP
%%Creator: html2ps version 1.0 beta5
%%CreationDate: Mon Aug 23 21:46:29 2010
%%DocumentNeededResources: font Times-Roman Times-Bold Courier Courier-Oblique
%%+ font Helvetica
%%DocumentData: Clean7Bit
%%Orientation: Portrait
%%BoundingBox: 0 0 596 842
%%Pages: 37
%%EndComments
%%BeginProlog
/d {bind def} bind def
/D {def} d
/ie {ifelse} d
/E {exch} d
/t true D
/f false D
/FL [/Times-Roman
/Times-Italic
/Times-Bold
/Times-BoldItalic
/Courier
/Courier-Oblique
/Courier-Bold
/Courier-BoldOblique
/Helvetica
/Helvetica-Oblique
/Helvetica-Bold
/Helvetica-BoldOblique] D
/Cd {aload length 2 idiv dup dict begin {D} repeat currentdict end} D
/reencodeISO {
dup dup findfont dup length dict begin{1 index /FID ne{D}{pop pop}ie}forall
/Encoding ISOLatin1Encoding D currentdict end definefont} D
/ISOLatin1Encoding [
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright
/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash
/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon
/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N
/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright
/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m
/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/space/exclamdown/cent/sterling/currency/yen/brokenbar
/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot
/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior
/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine
/guillemotright/onequarter/onehalf/threequarters/questiondown
/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute
/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis
/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave
/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex
/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis
/yacute/thorn/ydieresis
] D
[128/backslash 129/parenleft 130/parenright 141/circumflex 142/tilde
143/perthousand 144/dagger 145/daggerdbl 146/Ydieresis 147/scaron 148/Scaron
149/oe 150/OE 151/guilsinglleft 152/guilsinglright 153/quotesinglbase
154/quotedblbase 155/quotedblleft 156/quotedblright 157/endash 158/emdash
159/trademark]
aload length 2 idiv 1 1 3 -1 roll{pop ISOLatin1Encoding 3 1 roll put}for
/colorimage where{pop}{
/colorimage {
pop pop /Pr E D {/Cv Pr D /Gr Cv length 3 idiv string D 0 1 Gr length 1 sub
{Gr E dup /i E 3 mul D Cv i get 0.299 mul Cv i 1 add get 0.587 mul add
Cv i 2 add get 0.114 mul add cvi put}for Gr} image} D
}ie
/pdfmark where{pop}{userdict /pdfmark /cleartomark load put}ie
/MySymbol 10 dict dup begin
/FontType 3 D /FontMatrix [.001 0 0 .001 0 0 ] D /FontBBox [25 -10 600 600] D
/Encoding 256 array D 0 1 255{Encoding exch /.notdef put}for
Encoding (e) 0 get /euro put
/Metrics 2 dict D Metrics begin
/.notdef 0 D
/euro 651 D
end
/BBox 2 dict D BBox begin
/.notdef [0 0 0 0] D
/euro [25 -10 600 600] D
end
/CharacterDefs 2 dict D CharacterDefs begin
/.notdef {} D
/euro{newpath 114 600 moveto 631 600 lineto 464 200 lineto 573 200 lineto
573 0 lineto -94 0 lineto 31 300 lineto -10 300 lineto closepath clip
50 setlinewidth newpath 656 300 moveto 381 300 275 0 360 arc stroke
-19 350 moveto 600 0 rlineto -19 250 moveto 600 0 rlineto stroke}d
end
/BuildChar{0 begin
/char E D /fontdict E D /charname fontdict /Encoding get char get D
fontdict begin
Metrics charname get 0 BBox charname get aload pop setcachedevice
CharacterDefs charname get exec
end
end}D
/BuildChar load 0 3 dict put /UniqueID 1 D
end
definefont pop
/Nf {dup 0 ge{FL E get}{-1 eq{/Symbol}{/MySymbol}ie}ie findfont
E scalefont setfont} D
/IP {currentfile picstr readhexstring pop} D
/WF t D
/F 1 D
/N {showpage} d
/RL {rlineto} d
/S {show} d
/L {lineto} d
/M {moveto} d
/A {awidthshow} d
/RM {rmoveto} d
%%EndProlog
%%BeginSetup
%%PaperSize: A4
WF{FL{reencodeISO D}forall}{4 1 FL length 1 sub{FL E get reencodeISO D}for}ie
/Symbol dup dup findfont dup length dict begin
{1 index /FID ne{D}{pop pop}ie}forall /Encoding [Encoding aload pop]
dup 128 /therefore put D currentdict end definefont D
[/Creator (html2ps version 1.0 beta5) /Author () /Keywords (HTTP, authentication) /Subject () /Title (Mutual Authentication Protocol for HTTP) /DOCINFO pdfmark
[/PageMode /UseOutlines /DOCVIEW pdfmark
[/Count 1 /Dest /144 /Title (Mutual Authentication Protocol for HTTP draft-oiwa-http-mutualauth-07) /OUT pdfmark
[/Count 32 /Dest /145 /Title () /OUT pdfmark
[/Dest /145 /Title (Abstract) /OUT pdfmark
[/Dest /146 /Title (Status of this Memo) /OUT pdfmark
[/Dest /147 /Title (Copyright Notice) /OUT pdfmark
[/Dest /148 /Title (Table of Contents) /OUT pdfmark
[/Count -2 /Dest /149 /Title (1. Introduction) /OUT pdfmark
[/Dest /150 /Title (1.1. Terminology) /OUT pdfmark
[/Dest /151 /Title (1.2. Document Structure Overview) /OUT pdfmark
[/Count -3 /Dest /152 /Title (2. Protocol Overview) /OUT pdfmark
[/Dest /153 /Title (2.1. Messages) /OUT pdfmark
[/Dest /154 /Title (2.2. Typical Flows of the protocol) /OUT pdfmark
[/Dest /155 /Title (2.3. Alternative flows) /OUT pdfmark
[/Count -3 /Dest /156 /Title (3. Message Syntax) /OUT pdfmark
[/Dest /157 /Title (3.1. Tokens and Extensive-tokens) /OUT pdfmark
[/Dest /158 /Title (3.2. Numbers) /OUT pdfmark
[/Dest /159 /Title (3.3. Strings) /OUT pdfmark
[/Count -7 /Dest /160 /Title (4. Messages) /OUT pdfmark
[/Dest /161 /Title (4.1. 401-B0) /OUT pdfmark
[/Dest /162 /Title (4.2. 401-B0-stale) /OUT pdfmark
[/Dest /163 /Title (4.3. req-A1) /OUT pdfmark
[/Dest /164 /Title (4.4. 401-B1) /OUT pdfmark
[/Dest /165 /Title (4.5. req-A3) /OUT pdfmark
[/Dest /166 /Title (4.6. 200-B4) /OUT pdfmark
[/Dest /167 /Title (4.7. 200-Optional-B0) /OUT pdfmark
[/Count -1 /Dest /168 /Title (5. Authentication Realms) /OUT pdfmark
[/Dest /169 /Title (5.1. Resolving ambiguities) /OUT pdfmark
[/Dest /170 /Title (6. Session Management) /OUT pdfmark
[/Dest /171 /Title (7. Validation Methods) /OUT pdfmark
[/Dest /172 /Title (8. Decision procedure for the client) /OUT pdfmark
[/Dest /173 /Title (9. Decision procedure for the server) /OUT pdfmark
[/Count -3 /Dest /174 /Title (10. Authentication-Control header) /OUT pdfmark
[/Dest /175 /Title (10.1. Location-when-unauthenticated field) /OUT pdfmark
[/Dest /176 /Title (10.2. Location-when-logout field) /OUT pdfmark
[/Dest /177 /Title (10.3. Logout-timeout) /OUT pdfmark
[/Count -4 /Dest /178 /Title (11. Authentication Algorithms) /OUT pdfmark
[/Dest /179 /Title (11.1. Support functions and notations) /OUT pdfmark
[/Dest /180 /Title (11.2. Common functions for both settings) /OUT pdfmark
[/Dest /181 /Title (11.3. Functions for discrete-logarithm settings) /OUT pdfmark
[/Dest /182 /Title (11.4. Functions for elliptic-curve settings) /OUT pdfmark
[/Dest /183 /Title (12. Methods to extend this protocol) /OUT pdfmark
[/Dest /184 /Title (13. IANA Considerations) /OUT pdfmark
[/Count -4 /Dest /185 /Title (14. Security Considerations) /OUT pdfmark
[/Dest /186 /Title (14.1. Security Properties) /OUT pdfmark
[/Dest /187 /Title (14.2. Denial-of-service attacks to servers) /OUT pdfmark
[/Dest /188 /Title (14.3. Implementation Considerations) /OUT pdfmark
[/Dest /189 /Title (14.4. Usage Considerations) /OUT pdfmark
[/Dest /190 /Title (15. Notice on intellectual properties) /OUT pdfmark
[/Count -2 /Dest /191 /Title (16. References) /OUT pdfmark
[/Dest /192 /Title (16.1. Normative References) /OUT pdfmark
[/Dest /193 /Title (16.2. Informative References) /OUT pdfmark
[/Dest /194 /Title (Appendix A. \(Informative\) Generic syntax of headers) /OUT pdfmark
[/Dest /195 /Title (Appendix B. \(Informative\) Group parameters for discrete-logarithm based algorithms) /OUT pdfmark
[/Dest /196 /Title (Appendix C. \(Informative\) Derived numerical values) /OUT pdfmark
[/Dest /197 /Title (Appendix D. \(Informative\) Draft Remarks from the Authors) /OUT pdfmark
[/Dest /198 /Title (Appendix E. \(Informative\) Draft Change Log) /OUT pdfmark
[/Dest /199 /Title (E.1. Changes in revision 07) /OUT pdfmark
[/Dest /200 /Title (E.2. Changes in revision 06) /OUT pdfmark
[/Dest /201 /Title (E.3. Changes in revision 05) /OUT pdfmark
[/Dest /202 /Title (E.4. Changes in revision 04) /OUT pdfmark
[/Dest /203 /Title (E.5. Changes in revision 03) /OUT pdfmark
[/Dest /204 /Title (E.6. Changes in revision 02) /OUT pdfmark
[/Dest /205 /Title (Authors' Addresses) /OUT pdfmark
%%EndSetup
%%Page: 1 1
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 842 null] /Dest /0 /DEST pdfmark
0 -0 M
save
2.5 -13.5 M
%%IncludeResource: font Times-Roman
11 0 Nf
(Internet Engineering Task ) S
(Force) S
199 -13.5 M
(Y. ) S
(Oiwa) S
2.5 -32.2 M
(Internet-Draft) S
199 -32.2 M
(H. ) S
(Watanabe) S
2.5 -51 M
(Intended status: Standards ) S
(Track) S
199 -51 M
(H. ) S
(Takagi) S
2.5 -69.8 M
(Expires: February 24, ) S
(2011) S
199 -69.8 M
(RCIS, ) S
(AIST) S
2.5 -88.5 M
(\240) S
199 -88.5 M
(Y. ) S
(Ioku) S
2.5 -107.2 M
(\240) S
199 -107.2 M
(Yahoo! ) S
(Japan) S
2.5 -126 M
(\240) S
199 -126 M
(T. ) S
(Hayashi) S
2.5 -144.8 M
(\240) S
199 -144.8 M
(Lepidum) S
2.5 -163.5 M
(\240) S
199 -163.5 M
(August 23, ) S
(2010) S
0 -168.8 M
restore
227 -183.9 M
[/View [/XYZ -4 842 null] /Dest /144 /DEST pdfmark
54.5 -202.9 M
%%IncludeResource: font Times-Bold
19 2 Nf
(Mutual Authentication Protocol for ) S
(HTTP) S
100.9 -225.8 M
(draft-oiwa-http-mutualauth-07) S
0 -255.8 M
15 2 Nf
(Abstract) S
[/View [/XYZ -4 519.25 null] /Dest /145 /DEST pdfmark
0 -280 M
11 0 Nf
0.901988626 0 32 0 0 (This document specifies a mutual authentication method for Hyper-Text Transport Protocol \(HTTP\).) A
0 -293.2 M
0.837890625 0 32 0 0 (This method provides true mutual authentication between an HTTP client and an HTTP server using) A
0 -306.4 M
3.12734365 0 32 0 0 (password-based authentication. Unlike the Basic and Digest authentication methods, the Mutual) A
0 -319.6 M
0.029947916 0 32 0 0 (authentication method specified in this document assures the user that the server truly knows the user's) A
0 -332.8 M
1.41080725 0 32 0 0 (encrypted password. This prevents common phishing attacks: a phishing attacker controlling a fake) A
0 -346 M
0.0716145858 0 32 0 0 (website cannot convince a user that he authenticated to the genuine website. Furthermore, even when a) A
0 -359.2 M
1.47405136 0 32 0 0 (user authenticates to an illegitimate server, the server cannot gain any information about the user's) A
0 -372.4 M
0.271093756 0 32 0 0 (password. The Mutual authentication method is designed as an extension to the HTTP protocol, and is) A
0 -385.6 M
0.595552862 0 32 0 0 (intended to replace existing authentication methods used in HTTP \(the Basic method, Digest method,) A
0 -398.8 M
(and authentication using HTML forms\). ) S
0 -428.8 M
15 2 Nf
(Status) S
[/View [/XYZ -4 346.249878 null] /Dest /146 /DEST pdfmark
( of this ) S
(Memo) S
0 -453 M
11 0 Nf
(This Internet-Draft is submitted in full conformance with the provisions of BCP\24078 and ) S
(BCP\24079.) S
0 -477.2 M
0.34375 0 32 0 0 (Internet-Drafts are working documents of the Internet Engineering Task Force \(IETF\). Note that other) A
0 -490.4 M
0.389423072 0 32 0 0 (groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is) A
0 -503.6 M
(at ) S
(http://datatracker.ietf.org/drafts/current/.) S
0 -527.8 M
0.275781244 0 32 0 0 (Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced,) A
0 -541 M
1.51927078 0 32 0 0 (or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference) A
0 -554.2 M
(material or to cite them other than as \233work in ) S
(progress.\234) S
0 -578.4 M
(This Internet-Draft will expire on February 24, ) S
(2011.) S
0 -608.4 M
15 2 Nf
(Copyright) S
[/View [/XYZ -4 166.64978 null] /Dest /147 /DEST pdfmark
( ) S
(Notice) S
0 -632.6 M
11 0 Nf
(Copyright \(c\) 2010 IETF Trust and the persons identified as the document authors. All rights ) S
(reserved.) S
0 -632.6 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 1 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 2 2
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
3.1208334 0 32 0 0 (This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF) A
0 -26.4 M
1.34730113 0 32 0 0 (Documents \(http://trustee.ietf.org/license-info\) in effect on the date of publication of this document.) A
0 -39.6 M
0.819475472 0 32 0 0 (Please review these documents carefully, as they describe your rights and restrictions with respect to) A
0 -52.8 M
0.287109375 0 32 0 0 (this document. Code Components extracted from this document must include Simplified BSD License) A
0 -66 M
1.24951172 0 32 0 0 (text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as) A
0 -79.2 M
(described in the Simplified BSD ) S
(License.) S
0 -90.2 M
[/View [/XYZ -4 666.8 null] /Dest /1 /DEST pdfmark
0 -109.2 M
%%IncludeResource: font Times-Bold
15 2 Nf
(Table) S
[/View [/XYZ -4 665.8 null] /Dest /148 /DEST pdfmark
( of ) S
(Contents) S
0 -133.4 M
gsave
newpath
0 -134.5 M
8.25 0 RL
stroke
grestore
11 0 Nf
(1.) S
[/Rect [-1.0 -136.15 9.25 -124.049995] /Subtype /Link /Border [0 0 0] /Dest /2 /ANN pdfmark
(\240 ) S
(Introduction) S
0 -146.6 M
(\240\240\240\240) S
gsave
newpath
11 -147.7 M
16.5 0 RL
stroke
grestore
(1.1.) S
[/Rect [10.0 -149.349991 28.5 -137.249985] /Subtype /Link /Border [0 0 0] /Dest /4 /ANN pdfmark
(\240 ) S
(Terminology) S
0 -159.8 M
(\240\240\240\240) S
gsave
newpath
11 -160.9 M
16.5 0 RL
stroke
grestore
(1.2.) S
[/Rect [10.0 -162.549988 28.5 -150.449982] /Subtype /Link /Border [0 0 0] /Dest /6 /ANN pdfmark
(\240 Document Structure ) S
(Overview) S
0 -173 M
gsave
newpath
0 -174.1 M
8.25 0 RL
stroke
grestore
(2.) S
[/Rect [-1.0 -175.749985 9.25 -163.649979] /Subtype /Link /Border [0 0 0] /Dest /8 /ANN pdfmark
(\240 Protocol ) S
(Overview) S
0 -186.2 M
(\240\240\240\240) S
gsave
newpath
11 -187.3 M
16.5 0 RL
stroke
grestore
(2.1.) S
[/Rect [10.0 -188.949982 28.5 -176.849976] /Subtype /Link /Border [0 0 0] /Dest /10 /ANN pdfmark
(\240 ) S
(Messages) S
0 -199.4 M
(\240\240\240\240) S
gsave
newpath
11 -200.5 M
16.5 0 RL
stroke
grestore
(2.2.) S
[/Rect [10.0 -202.149979 28.5 -190.049973] /Subtype /Link /Border [0 0 0] /Dest /12 /ANN pdfmark
(\240 Typical Flows of the ) S
(protocol) S
0 -212.6 M
(\240\240\240\240) S
gsave
newpath
11 -213.7 M
16.5 0 RL
stroke
grestore
(2.3.) S
[/Rect [10.0 -215.349976 28.5 -203.249969] /Subtype /Link /Border [0 0 0] /Dest /15 /ANN pdfmark
(\240 Alternative ) S
(flows) S
0 -225.8 M
gsave
newpath
0 -226.9 M
8.25 0 RL
stroke
grestore
(3.) S
[/Rect [-1.0 -228.549973 9.25 -216.449966] /Subtype /Link /Border [0 0 0] /Dest /18 /ANN pdfmark
(\240 Message ) S
(Syntax) S
0 -239 M
(\240\240\240\240) S
gsave
newpath
11 -240.1 M
16.5 0 RL
stroke
grestore
(3.1.) S
[/Rect [10.0 -241.749969 28.5 -229.649963] /Subtype /Link /Border [0 0 0] /Dest /21 /ANN pdfmark
(\240 Tokens and ) S
(Extensive-tokens) S
0 -252.2 M
(\240\240\240\240) S
gsave
newpath
11 -253.3 M
16.5 0 RL
stroke
grestore
(3.2.) S
[/Rect [10.0 -254.949966 28.5 -242.84996] /Subtype /Link /Border [0 0 0] /Dest /23 /ANN pdfmark
(\240 ) S
(Numbers) S
0 -265.4 M
(\240\240\240\240) S
gsave
newpath
11 -266.5 M
16.5 0 RL
stroke
grestore
(3.3.) S
[/Rect [10.0 -268.149963 28.5 -256.049957] /Subtype /Link /Border [0 0 0] /Dest /25 /ANN pdfmark
(\240 ) S
(Strings) S
0 -278.6 M
gsave
newpath
0 -279.7 M
8.25 0 RL
stroke
grestore
(4.) S
[/Rect [-1.0 -281.349976 9.25 -269.249969] /Subtype /Link /Border [0 0 0] /Dest /27 /ANN pdfmark
(\240 ) S
(Messages) S
0 -291.8 M
(\240\240\240\240) S
gsave
newpath
11 -292.9 M
16.5 0 RL
stroke
grestore
(4.1.) S
[/Rect [10.0 -294.55 28.5 -282.449982] /Subtype /Link /Border [0 0 0] /Dest /29 /ANN pdfmark
(\240 ) S
(401-B0) S
0 -305 M
(\240\240\240\240) S
gsave
newpath
11 -306.1 M
16.5 0 RL
stroke
grestore
(4.2.) S
[/Rect [10.0 -307.75 28.5 -295.65] /Subtype /Link /Border [0 0 0] /Dest /32 /ANN pdfmark
(\240 ) S
(401-B0-stale) S
0 -318.2 M
(\240\240\240\240) S
gsave
newpath
11 -319.3 M
16.5 0 RL
stroke
grestore
(4.3.) S
[/Rect [10.0 -320.95 28.5 -308.85] /Subtype /Link /Border [0 0 0] /Dest /34 /ANN pdfmark
(\240 ) S
(req-A1) S
0 -331.4 M
(\240\240\240\240) S
gsave
newpath
11 -332.5 M
16.5 0 RL
stroke
grestore
(4.4.) S
[/Rect [10.0 -334.150024 28.5 -322.050018] /Subtype /Link /Border [0 0 0] /Dest /37 /ANN pdfmark
(\240 ) S
(401-B1) S
0 -344.6 M
(\240\240\240\240) S
gsave
newpath
11 -345.7 M
16.5 0 RL
stroke
grestore
(4.5.) S
[/Rect [10.0 -347.350037 28.5 -335.250031] /Subtype /Link /Border [0 0 0] /Dest /40 /ANN pdfmark
(\240 ) S
(req-A3) S
0 -357.8 M
(\240\240\240\240) S
gsave
newpath
11 -358.9 M
16.5 0 RL
stroke
grestore
(4.6.) S
[/Rect [10.0 -360.550049 28.5 -348.450043] /Subtype /Link /Border [0 0 0] /Dest /43 /ANN pdfmark
(\240 ) S
(200-B4) S
0 -371 M
(\240\240\240\240) S
gsave
newpath
11 -372.1 M
16.5 0 RL
stroke
grestore
(4.7.) S
[/Rect [10.0 -373.750061 28.5 -361.650055] /Subtype /Link /Border [0 0 0] /Dest /46 /ANN pdfmark
(\240 ) S
(200-Optional-B0) S
0 -384.2 M
gsave
newpath
0 -385.3 M
8.25 0 RL
stroke
grestore
(5.) S
[/Rect [-1.0 -386.950073 9.25 -374.850067] /Subtype /Link /Border [0 0 0] /Dest /49 /ANN pdfmark
(\240 Authentication ) S
(Realms) S
0 -397.4 M
(\240\240\240\240) S
gsave
newpath
11 -398.5 M
16.5 0 RL
stroke
grestore
(5.1.) S
[/Rect [10.0 -400.150085 28.5 -388.050079] /Subtype /Link /Border [0 0 0] /Dest /51 /ANN pdfmark
(\240 Resolving ) S
(ambiguities) S
0 -410.6 M
gsave
newpath
0 -411.7 M
8.25 0 RL
stroke
grestore
(6.) S
[/Rect [-1.0 -413.350098 9.25 -401.250092] /Subtype /Link /Border [0 0 0] /Dest /53 /ANN pdfmark
(\240 Session ) S
(Management) S
0 -423.8 M
gsave
newpath
0 -424.9 M
8.25 0 RL
stroke
grestore
(7.) S
[/Rect [-1.0 -426.55011 9.25 -414.450104] /Subtype /Link /Border [0 0 0] /Dest /55 /ANN pdfmark
(\240 Validation ) S
(Methods) S
0 -437 M
gsave
newpath
0 -438.1 M
8.25 0 RL
stroke
grestore
(8.) S
[/Rect [-1.0 -439.750122 9.25 -427.650116] /Subtype /Link /Border [0 0 0] /Dest /57 /ANN pdfmark
(\240 Decision procedure for the ) S
(client) S
0 -450.2 M
gsave
newpath
0 -451.3 M
8.25 0 RL
stroke
grestore
(9.) S
[/Rect [-1.0 -452.950134 9.25 -440.850128] /Subtype /Link /Border [0 0 0] /Dest /60 /ANN pdfmark
(\240 Decision procedure for the ) S
(server) S
0 -463.4 M
gsave
newpath
0 -464.5 M
13.75 0 RL
stroke
grestore
(10.) S
[/Rect [-1.0 -466.150146 14.75 -454.05014] /Subtype /Link /Border [0 0 0] /Dest /62 /ANN pdfmark
(\240 Authentication-Control ) S
(header) S
0 -476.6 M
(\240\240\240\240) S
gsave
newpath
11 -477.7 M
22.0 0 RL
stroke
grestore
(10.1.) S
[/Rect [10.0 -479.350159 34.0 -467.250153] /Subtype /Link /Border [0 0 0] /Dest /65 /ANN pdfmark
(\240 Location-when-unauthenticated ) S
(field) S
0 -489.8 M
(\240\240\240\240) S
gsave
newpath
11 -490.9 M
22.0 0 RL
stroke
grestore
(10.2.) S
[/Rect [10.0 -492.550171 34.0 -480.450165] /Subtype /Link /Border [0 0 0] /Dest /67 /ANN pdfmark
(\240 Location-when-logout ) S
(field) S
0 -503 M
(\240\240\240\240) S
gsave
newpath
11 -504.1 M
22.0 0 RL
stroke
grestore
(10.3.) S
[/Rect [10.0 -505.750183 34.0 -493.650177] /Subtype /Link /Border [0 0 0] /Dest /69 /ANN pdfmark
(\240 ) S
(Logout-timeout) S
0 -516.2 M
gsave
newpath
0 -517.3 M
13.75 0 RL
stroke
grestore
(11.) S
[/Rect [-1.0 -518.950195 14.75 -506.850189] /Subtype /Link /Border [0 0 0] /Dest /71 /ANN pdfmark
(\240 Authentication ) S
(Algorithms) S
0 -529.4 M
(\240\240\240\240) S
gsave
newpath
11 -530.5 M
22.0 0 RL
stroke
grestore
(11.1.) S
[/Rect [10.0 -532.150208 34.0 -520.050232] /Subtype /Link /Border [0 0 0] /Dest /73 /ANN pdfmark
(\240 Support functions and ) S
(notations) S
0 -542.6 M
(\240\240\240\240) S
gsave
newpath
11 -543.7 M
22.0 0 RL
stroke
grestore
(11.2.) S
[/Rect [10.0 -545.35022 34.0 -533.250244] /Subtype /Link /Border [0 0 0] /Dest /75 /ANN pdfmark
(\240 Common functions for both ) S
(settings) S
0 -555.8 M
(\240\240\240\240) S
gsave
newpath
11 -556.9 M
22.0 0 RL
stroke
grestore
(11.3.) S
[/Rect [10.0 -558.550232 34.0 -546.450256] /Subtype /Link /Border [0 0 0] /Dest /77 /ANN pdfmark
(\240 Functions for discrete-logarithm ) S
(settings) S
0 -569 M
(\240\240\240\240) S
gsave
newpath
11 -570.1 M
22.0 0 RL
stroke
grestore
(11.4.) S
[/Rect [10.0 -571.750244 34.0 -559.650269] /Subtype /Link /Border [0 0 0] /Dest /79 /ANN pdfmark
(\240 Functions for elliptic-curve ) S
(settings) S
0 -582.2 M
gsave
newpath
0 -583.3 M
13.75 0 RL
stroke
grestore
(12.) S
[/Rect [-1.0 -584.950256 14.75 -572.850281] /Subtype /Link /Border [0 0 0] /Dest /81 /ANN pdfmark
(\240 Methods to extend this ) S
(protocol) S
0 -595.4 M
gsave
newpath
0 -596.5 M
13.75 0 RL
stroke
grestore
(13.) S
[/Rect [-1.0 -598.150269 14.75 -586.050293] /Subtype /Link /Border [0 0 0] /Dest /83 /ANN pdfmark
(\240 IANA ) S
(Considerations) S
0 -608.6 M
gsave
newpath
0 -609.7 M
13.75 0 RL
stroke
grestore
(14.) S
[/Rect [-1.0 -611.350281 14.75 -599.250305] /Subtype /Link /Border [0 0 0] /Dest /85 /ANN pdfmark
(\240 Security ) S
(Considerations) S
0 -621.8 M
(\240\240\240\240) S
gsave
newpath
11 -622.9 M
22.0 0 RL
stroke
grestore
(14.1.) S
[/Rect [10.0 -624.550293 34.0 -612.450317] /Subtype /Link /Border [0 0 0] /Dest /87 /ANN pdfmark
(\240 Security ) S
(Properties) S
0 -635 M
(\240\240\240\240) S
gsave
newpath
11 -636.1 M
22.0 0 RL
stroke
grestore
(14.2.) S
[/Rect [10.0 -637.750305 34.0 -625.65033] /Subtype /Link /Border [0 0 0] /Dest /89 /ANN pdfmark
(\240 Denial-of-service attacks to ) S
(servers) S
0 -648.2 M
(\240\240\240\240) S
gsave
newpath
11 -649.3 M
22.0 0 RL
stroke
grestore
(14.3.) S
[/Rect [10.0 -650.950317 34.0 -638.850342] /Subtype /Link /Border [0 0 0] /Dest /91 /ANN pdfmark
(\240 Implementation ) S
(Considerations) S
0 -661.4 M
(\240\240\240\240) S
gsave
newpath
11 -662.5 M
22.0 0 RL
stroke
grestore
(14.4.) S
[/Rect [10.0 -664.15033 34.0 -652.050354] /Subtype /Link /Border [0 0 0] /Dest /93 /ANN pdfmark
(\240 Usage ) S
(Considerations) S
0 -661.4 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 2 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 3 3
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
gsave
newpath
0 -14.3 M
13.75 0 RL
stroke
grestore
%%IncludeResource: font Times-Roman
11 0 Nf
(15.) S
[/Rect [-1.0 -15.9500008 14.75 -3.85000038] /Subtype /Link /Border [0 0 0] /Dest /95 /ANN pdfmark
(\240 Notice on intellectual ) S
(properties) S
0 -26.4 M
gsave
newpath
0 -27.5 M
13.75 0 RL
stroke
grestore
11 0 Nf
(16.) S
[/Rect [-1.0 -29.1500015 14.75 -17.0500011] /Subtype /Link /Border [0 0 0] /Dest /99 /ANN pdfmark
(\240 ) S
(References) S
0 -39.6 M
(\240\240\240\240) S
gsave
newpath
11 -40.7 M
22.0 0 RL
stroke
grestore
(16.1.) S
[/Rect [10.0 -42.3500023 34.0 -30.2500019] /Subtype /Link /Border [0 0 0] /Dest /99 /ANN pdfmark
(\240 Normative ) S
(References) S
0 -52.8 M
(\240\240\240\240) S
gsave
newpath
11 -53.9 M
22.0 0 RL
stroke
grestore
(16.2.) S
[/Rect [10.0 -55.5500031 34.0 -43.4500046] /Subtype /Link /Border [0 0 0] /Dest /109 /ANN pdfmark
(\240 Informative ) S
(References) S
0 -66 M
gsave
newpath
0 -67.1 M
56.8203125 0 RL
stroke
grestore
(Appendix\240A.) S
[/Rect [-1.0 -68.75 57.8203125 -56.65] /Subtype /Link /Border [0 0 0] /Dest /120 /ANN pdfmark
(\240 \(Informative\) Generic syntax of ) S
(headers) S
0 -79.2 M
gsave
newpath
0 -80.3 M
56.2148438 0 RL
stroke
grestore
(Appendix\240B.) S
[/Rect [-1.0 -81.95 57.2148438 -69.85] /Subtype /Link /Border [0 0 0] /Dest /123 /ANN pdfmark
(\240 \(Informative\) Group parameters for discrete-logarithm based ) S
(algorithms) S
0 -92.4 M
gsave
newpath
0 -93.5 M
56.2148438 0 RL
stroke
grestore
(Appendix\240C.) S
[/Rect [-1.0 -95.1499939 57.2148438 -83.0499954] /Subtype /Link /Border [0 0 0] /Dest /125 /ANN pdfmark
(\240 \(Informative\) Derived numerical ) S
(values) S
0 -105.6 M
gsave
newpath
0 -106.7 M
56.8203125 0 RL
stroke
grestore
(Appendix\240D.) S
[/Rect [-1.0 -108.349991 57.8203125 -96.2499924] /Subtype /Link /Border [0 0 0] /Dest /127 /ANN pdfmark
(\240 \(Informative\) Draft Remarks from the ) S
(Authors) S
0 -118.8 M
gsave
newpath
0 -119.9 M
55.5976562 0 RL
stroke
grestore
(Appendix\240E.) S
[/Rect [-1.0 -121.549988 56.5976562 -109.449989] /Subtype /Link /Border [0 0 0] /Dest /129 /ANN pdfmark
(\240 \(Informative\) Draft Change ) S
(Log) S
0 -132 M
(\240\240\240\240) S
gsave
newpath
11 -133.1 M
17.71875 0 RL
stroke
grestore
(E.1.) S
[/Rect [10.0 -134.749985 29.71875 -122.649986] /Subtype /Link /Border [0 0 0] /Dest /131 /ANN pdfmark
(\240 Changes in revision ) S
(07) S
0 -145.2 M
(\240\240\240\240) S
gsave
newpath
11 -146.3 M
17.71875 0 RL
stroke
grestore
(E.2.) S
[/Rect [10.0 -147.949982 29.71875 -135.849976] /Subtype /Link /Border [0 0 0] /Dest /133 /ANN pdfmark
(\240 Changes in revision ) S
(06) S
0 -158.4 M
(\240\240\240\240) S
gsave
newpath
11 -159.5 M
17.71875 0 RL
stroke
grestore
(E.3.) S
[/Rect [10.0 -161.149979 29.71875 -149.049973] /Subtype /Link /Border [0 0 0] /Dest /135 /ANN pdfmark
(\240 Changes in revision ) S
(05) S
0 -171.6 M
(\240\240\240\240) S
gsave
newpath
11 -172.7 M
17.71875 0 RL
stroke
grestore
(E.4.) S
[/Rect [10.0 -174.349976 29.71875 -162.249969] /Subtype /Link /Border [0 0 0] /Dest /137 /ANN pdfmark
(\240 Changes in revision ) S
(04) S
0 -184.8 M
(\240\240\240\240) S
gsave
newpath
11 -185.9 M
17.71875 0 RL
stroke
grestore
(E.5.) S
[/Rect [10.0 -187.549973 29.71875 -175.449966] /Subtype /Link /Border [0 0 0] /Dest /139 /ANN pdfmark
(\240 Changes in revision ) S
(03) S
0 -198 M
(\240\240\240\240) S
gsave
newpath
11 -199.1 M
17.71875 0 RL
stroke
grestore
(E.6.) S
[/Rect [10.0 -200.749969 29.71875 -188.649963] /Subtype /Link /Border [0 0 0] /Dest /141 /ANN pdfmark
(\240 Changes in revision ) S
(02) S
0 -211.2 M
gsave
newpath
0 -212.3 M
5.5 0 RL
stroke
grestore
(\247) S
[/Rect [-1.0 -213.949966 6.5 -201.84996] /Subtype /Link /Border [0 0 0] /Dest /143 /ANN pdfmark
(\240 Authors' ) S
(Addresses) S
0 -222.2 M
[/View [/XYZ -4 534.800049 null] /Dest /2 /DEST pdfmark
0 -222.2 M
[/View [/XYZ -4 534.800049 null] /Dest /3 /DEST pdfmark
0 -241.2 M
%%IncludeResource: font Times-Bold
15 2 Nf
(1.) S
[/View [/XYZ -4 533.800049 null] /Dest /149 /DEST pdfmark
( ) S
(Introduction) S
0 -265.4 M
11 0 Nf
1.40198863 0 32 0 0 (This document specifies a mutual authentication method for Hyper-Text Transport Protocl \(HTTP\).) A
0 -278.6 M
2.16308594 0 32 0 0 (The method, called as "Mutual Authentication Protocol" in this document, provides provides true) A
0 -291.8 M
0.332519531 0 32 0 0 (mutual authentication between an HTTP client and an HTTP server, using just a simple password as a) A
0 -305 M
(credential. ) S
0 -329.2 M
1.36230469 0 32 0 0 (Currently available methods for authentication in HTTP and Web system have several deficiencies. ) A
0 -342.4 M
gsave
newpath
0 -343.5 M
100.910156 0 RL
stroke
grestore
4.3359375 0 32 0 0 (Basic authentication ) A
gsave
newpath
100.9 -343.5 M
32.9921875 0 RL
stroke
grestore
4.3359375 0 32 0 0 (method) A
[/Rect [-1.0 -345.150024 134.902344 -333.050018] /Subtype /Link /Border [0 0 0] /Dest /114 /ANN pdfmark
4.3359375 0 32 0 0 ( [RFC2617] sends a plaintext password to a server without any) A
0 -355.6 M
1.08170569 0 32 0 0 (protections; Digest method uses a hash function which suffers from simple dictionary-based off-line) A
0 -368.8 M
(attacks, and people begins to think it obsolete. ) S
0 -393 M
0.236653641 0 32 0 0 (The authentication method proposed in this document solves these problems, substitutes these existing) A
0 -406.2 M
0.415364593 0 32 0 0 (methods and serves as a long-term solution of Web authentications security. it has the following main) A
0 -419.4 M
(characteristics: ) S
11 -440 M
gsave
0 setgray
newpath
11.0 -439.970093 2.75 0 360 arc
closepath
fill
grestore
22 -443.6 M
1.30494797 0 32 0 0 (It provides "true" mutual authentication: as well as assuring the server that the user knows the) A
22 -456.8 M
0.257324219 0 32 0 0 (password, it also assures the user that the server truly knows the user's encrypted password at the) A
22 -470 M
0.13229166 0 32 0 0 (same time. It makes impossible for fake website owners to persuade users that he authenticated to) A
22 -483.2 M
(the original websites. ) S
11 -493.8 M
gsave
0 setgray
newpath
11.0 -493.770142 2.75 0 360 arc
closepath
fill
grestore
22 -497.4 M
1.28004813 0 32 0 0 (It uses only a password as a user's credential: unlike public-key-based security algorithms, the) A
22 -510.6 M
1.00073242 0 32 0 0 (method does not rely on secret keys or other cryptographic data which have to be stored inside) A
22 -523.8 M
2.86886168 0 32 0 0 (users' computers. The method can be used almost as a drop-in replacement to the current) A
22 -537 M
(authentication methods like Basic or Digest, while ensuring much stronger security. ) S
11 -547.6 M
gsave
0 setgray
newpath
11.0 -547.57019 2.75 0 360 arc
closepath
fill
grestore
22 -551.2 M
0.835707724 0 32 0 0 (It is secure: when the server failed to authentication user, the protocol will not reveal any bit of) A
22 -564.4 M
(user's ) S
(password.) S
0 -588.6 M
0.661197901 0 32 0 0 (By using the proposed method, users can discriminate between true and fake Web servers using their) A
0 -601.8 M
1.3927083 0 32 0 0 (own passwords. Even when a user inputs his/her password to a fake website owned by illegitimate) A
0 -615 M
0.883091509 0 32 0 0 (phishers, the user will certainly notices that the authentication has failed. Phishers cannot make such) A
0 -628.2 M
0.380208343 0 32 0 0 (authentication attempt succeed, even if they forward received data from a user to the legitimate server) A
0 -641.4 M
2.5871582 0 32 0 0 (or vice versa. Users can input sensitive data to the web forms after confirming that the mutual) A
0 -654.6 M
(authentication has succeeded, without fear of phishing attacks. ) S
0 -654.6 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 3 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 4 4
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.97200525 0 32 0 0 (The document also proposes several extensions to the current HTTP authentication framework, to) A
0 -26.4 M
0.676106751 0 32 0 0 (replace current widely-used form-based Web authentication. Nowadays, majority of the Web sites on) A
0 -39.6 M
0.0681818202 0 32 0 0 (the Internet use custom application-layer authentication implementations using Web forms. Reasons of) A
0 -52.8 M
4.63476562 0 32 0 0 (these may vary, but many people consider that the current HTTP Basic \(and Digest, too\)) A
0 -66 M
1.262429 0 32 0 0 (authentication method does not have functionality \(including a good-feeling user interfaces\) enough) A
0 -79.2 M
1.02962244 0 32 0 0 (for supporting realistic Web-based applications. However, the method is very weak against phishing) A
0 -92.4 M
2.10630584 0 32 0 0 (attacks, because the whole behavior of the authentication is controlled from the servers' side. To) A
0 -105.6 M
1.48347354 0 32 0 0 (overcome this problem, we need to "modernize" the HTTP authentication framework so that better) A
0 -118.8 M
0.52734375 0 32 0 0 (client-controlled secure methods can be used well with Web applications. The extensions proposed in) A
0 -132 M
(this document include: ) S
11 -152.6 M
gsave
0 setgray
newpath
11.0 -152.569992 2.75 0 360 arc
closepath
fill
grestore
22 -156.2 M
(multi-host single authentication within an Internet domain ) S
(\() S
gsave
newpath
284.4 -157.3 M
41.2382812 0 RL
stroke
grestore
(Section\2405) S
[/Rect [283.371094 -158.949982 326.609375 -146.849976] /Subtype /Link /Border [0 0 0] /Dest /49 /ANN pdfmark
(\), ) S
11 -166.8 M
gsave
0 setgray
newpath
11.0 -166.769989 2.75 0 360 arc
closepath
fill
grestore
22 -170.4 M
(non-mandatory, optional authentication on HTTP ) S
(\() S
gsave
newpath
246.2 -171.5 M
49.4882812 0 RL
stroke
grestore
(Section\2404.7) S
[/Rect [245.199219 -173.149979 296.6875 -161.049973] /Subtype /Link /Border [0 0 0] /Dest /46 /ANN pdfmark
(\), ) S
11 -181 M
gsave
0 setgray
newpath
11.0 -180.969986 2.75 0 360 arc
closepath
fill
grestore
22 -184.6 M
(log out from both server and client side ) S
(\() S
gsave
newpath
201.6 -185.7 M
46.7382812 0 RL
stroke
grestore
(Section\24010) S
[/Rect [200.589844 -187.349976 249.328125 -175.249969] /Subtype /Link /Border [0 0 0] /Dest /62 /ANN pdfmark
(\), and ) S
11 -195.2 M
gsave
0 setgray
newpath
11.0 -195.169983 2.75 0 360 arc
closepath
fill
grestore
22 -198.8 M
(finer control for redirection depending on authentication status ) S
(\() S
gsave
newpath
304.2 -199.9 M
46.7382812 0 RL
stroke
grestore
(Section\24010) S
[/Rect [303.195312 -201.549973 351.933594 -189.449966] /Subtype /Link /Border [0 0 0] /Dest /62 /ANN pdfmark
(\).) S
0 -209.8 M
[/View [/XYZ -4 547.2 null] /Dest /4 /DEST pdfmark
0 -209.8 M
[/View [/XYZ -4 547.2 null] /Dest /5 /DEST pdfmark
0 -225.4 M
%%IncludeResource: font Times-Bold
13 2 Nf
(1.1.) S
[/View [/XYZ -4 547.2 null] /Dest /150 /DEST pdfmark
( ) S
(Terminology) S
0 -249.6 M
11 0 Nf
2.37011719 0 32 0 0 (The key words "MUST", "MUST\240NOT", "REQUIRED", "SHALL", "SHALL\240NOT", "SHOULD",) A
0 -262.8 M
2.95781255 0 32 0 0 ("SHOULD\240NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be) A
0 -276 M
(interpreted as described in ) S
gsave
newpath
118.5 -277.1 M
50.1054688 0 RL
stroke
grestore
([RFC2119]) S
[/Rect [117.488281 -278.75 169.59375 -266.65] /Subtype /Link /Border [0 0 0] /Dest /102 /ANN pdfmark
(.) S
0 -300.2 M
0.314127594 0 32 0 0 (Terms "encouraged" and "advised" are used for suggestions which do not constitute "SHOULD"-level) A
0 -313.4 M
0.126201928 0 32 0 0 (requirements. People MAY freely choose not to include the suggested items regarding ) A
gsave
newpath
384.2 -314.5 M
50.1054688 0 RL
stroke
grestore
0.126201928 0 32 0 0 ([RFC2119]) A
[/Rect [383.199219 -316.150024 435.304688 -304.050018] /Subtype /Link /Border [0 0 0] /Dest /102 /ANN pdfmark
0.126201928 0 32 0 0 (, but) A
0 -326.6 M
0.599051356 0 32 0 0 (following the suggestion will be a best practice; it will improve security, interoperability or operation ) A
0 -339.8 M
(performance.) S
0 -364 M
0.310302734 0 32 0 0 (This document distinguishes the terms "client" and "user" in the following way: A "client" is an entity) A
0 -377.2 M
3.509588 0 32 0 0 (understanding and talking HTTP and the specified authentication protocol, usually a computer) A
0 -390.4 M
1.57006836 0 32 0 0 (software; on the contrary, a "user" is a \(usually natural\) person who want to access data resources) A
0 -403.6 M
(using "a ) S
(client".) S
0 -427.8 M
(The term "natural numbers" means non-negative integers \(including zero\) throughout this ) S
(document.) S
0 -438.8 M
[/View [/XYZ -4 318.19989 null] /Dest /6 /DEST pdfmark
0 -438.8 M
[/View [/XYZ -4 318.19989 null] /Dest /7 /DEST pdfmark
0 -454.4 M
13 2 Nf
(1.2.) S
[/View [/XYZ -4 318.19989 null] /Dest /151 /DEST pdfmark
( Document Structure ) S
(Overview) S
0 -478.6 M
11 0 Nf
(The whole document is organized as follows: ) S
11 -499.2 M
gsave
0 setgray
newpath
11.0 -499.170135 2.75 0 360 arc
closepath
fill
grestore
22 -502.8 M
gsave
newpath
22 -503.9 M
41.2382812 0 RL
stroke
grestore
(Section\2402) S
[/Rect [21.0 -505.55014 64.2382812 -493.450134] /Subtype /Link /Border [0 0 0] /Dest /8 /ANN pdfmark
( gives an overview presentation of the protocol design. ) S
11 -513.4 M
gsave
0 setgray
newpath
11.0 -513.370117 2.75 0 360 arc
closepath
fill
grestore
22 -517 M
0.457291663 0 32 0 0 (The Sections from ) A
gsave
newpath
107.4 -518.1 M
5.5 0 RL
stroke
grestore
0.457291663 0 32 0 0 (3) A
[/Rect [106.363281 -519.750122 113.863281 -507.650116] /Subtype /Link /Border [0 0 0] /Dest /18 /ANN pdfmark
0.457291663 0 32 0 0 ( to ) A
gsave
newpath
127.8 -518.1 M
5.5 0 RL
stroke
grestore
0.457291663 0 32 0 0 (9) A
[/Rect [126.832031 -519.750122 134.332031 -507.650116] /Subtype /Link /Border [0 0 0] /Dest /60 /ANN pdfmark
0.457291663 0 32 0 0 ( define a general framework of the Mutual authentication protocol. This) A
22 -530.2 M
(framework is independent from specific cryptographic primitives. ) S
11 -540.8 M
gsave
0 setgray
newpath
11.0 -540.770142 2.75 0 360 arc
closepath
fill
grestore
22 -544.4 M
gsave
newpath
22 -545.5 M
46.7382812 0 RL
stroke
grestore
2.371804 0 32 0 0 (Section\24010) A
[/Rect [21.0 -547.150146 69.7382812 -535.050171] /Subtype /Link /Border [0 0 0] /Dest /62 /ANN pdfmark
2.371804 0 32 0 0 ( defines an optional extension to the the generic HTTP authentication framework,) A
22 -557.6 M
(which is useful mostly to control the Web browser behavior of the authentication. ) S
11 -568.2 M
gsave
0 setgray
newpath
11.0 -568.170166 2.75 0 360 arc
closepath
fill
grestore
22 -571.8 M
gsave
newpath
22 -572.9 M
46.7382812 0 RL
stroke
grestore
1.66536462 0 32 0 0 (Section\24011) A
[/Rect [21.0 -574.550171 69.7382812 -562.450195] /Subtype /Link /Border [0 0 0] /Dest /71 /ANN pdfmark
1.66536462 0 32 0 0 ( defines a few specific cryptographic algorithms to be used with this authentication) A
22 -585 M
(framework. ) S
11 -595.6 M
gsave
0 setgray
newpath
11.0 -595.57019 2.75 0 360 arc
closepath
fill
grestore
22 -599.2 M
(The sections after that contain general normative and informative information about the protocol. ) S
11 -609.8 M
gsave
0 setgray
newpath
11.0 -609.770203 2.75 0 360 arc
closepath
fill
grestore
22 -613.4 M
(Appendices contain some information which may help developers to implement the ) S
(protocol.) S
0 -624.4 M
[/View [/XYZ -4 132.599792 null] /Dest /8 /DEST pdfmark
0 -624.4 M
[/View [/XYZ -4 132.599792 null] /Dest /9 /DEST pdfmark
0 -625.4 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 4 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 5 5
%%PageResources: font Times-Roman Times-Bold Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(2.) S
[/View [/XYZ -4 757.0 null] /Dest /152 /DEST pdfmark
( Protocol ) S
(Overview) S
0 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.526884198 0 32 0 0 (The protocol, as a whole, is designed as a natural extension to the ) A
gsave
newpath
297.9 -43.3 M
30.7690716 0 RL
stroke
grestore
0.526884198 0 32 0 0 (HTTP ) A
gsave
newpath
328.6 -43.3 M
36.6523438 0 RL
stroke
grestore
0.526884198 0 32 0 0 (protocol) A
[/Rect [296.882812 -44.95 366.300781 -32.85] /Subtype /Link /Border [0 0 0] /Dest /113 /ANN pdfmark
0.526884198 0 32 0 0 ( [RFC2616] using a) A
0 -55.4 M
4.68870211 0 32 0 0 (framework defined in ) A
gsave
newpath
112.1 -56.5 M
50.1054688 0 RL
stroke
grestore
4.68870211 0 32 0 0 ([RFC2617]) A
[/Rect [111.089844 -58.15 163.195312 -46.0500031] /Subtype /Link /Border [0 0 0] /Dest /114 /ANN pdfmark
4.68870211 0 32 0 0 (. Internally, the server and the client will first perform a) A
0 -68.6 M
4.60847378 0 32 0 0 (cryptographic key exchange, using the secret password as a "tweak" to the exchange. The) A
0 -81.8 M
2.02864575 0 32 0 0 (key-exchange will only succeed when the secrets used by the both peer are correctly related \(i.e.) A
0 -95 M
2.43303561 0 32 0 0 (generated from the same password\). Then the both peer will verify the authentication results by) A
0 -108.2 M
0.524902344 0 32 0 0 (checking the sharing of the exchanged key. This section describes the brief image of the protocol and) A
0 -121.4 M
(the exchanged messages. ) S
0 -132.4 M
[/View [/XYZ -4 624.6 null] /Dest /10 /DEST pdfmark
0 -132.4 M
[/View [/XYZ -4 624.6 null] /Dest /11 /DEST pdfmark
0 -148 M
13 2 Nf
(2.1.) S
[/View [/XYZ -4 624.6 null] /Dest /153 /DEST pdfmark
( ) S
(Messages) S
0 -172.2 M
11 0 Nf
1.71647131 0 32 0 0 (The authentication protocol uses seven kinds of messages to perform mutual authentication. These) A
0 -185.4 M
(messages have a specific names within this specification. ) S
11 -206 M
gsave
0 setgray
newpath
11.0 -205.97 2.75 0 360 arc
closepath
fill
grestore
22 -209.6 M
4.54166651 0 32 0 0 (Authentication request messages: used by the servers to request clients to start mutual) A
22 -222.8 M
(authentication. ) S
33 -233.4 M
gsave
0 setgray
newpath
33.0 -233.37 2.75 0 360 arc
closepath
stroke
grestore
44 -237 M
1.73325896 0 32 0 0 (401-B0 message: a general message for start authentication protocol. It is also used as a) A
44 -250.2 M
(message indicating an authentication failure. ) S
33 -260.8 M
gsave
0 setgray
newpath
33.0 -260.77 2.75 0 360 arc
closepath
stroke
grestore
44 -264.4 M
0.814985812 0 32 0 0 (200-Optional-B0 message: a variant of 401-B0 message indicating that an authentication is) A
44 -277.6 M
(not mandatory. ) S
33 -288.2 M
gsave
0 setgray
newpath
33.0 -288.17 2.75 0 360 arc
closepath
stroke
grestore
44 -291.8 M
(401-B0-stale message: a message indicating that it has to start a new authentication ) S
(trial.) S
11 -302.4 M
gsave
0 setgray
newpath
11.0 -302.370026 2.75 0 360 arc
closepath
fill
grestore
22 -306 M
0.31640625 0 32 0 0 (Authenticated key exchange messages: used by both peers to perform authentication and shares a) A
22 -319.2 M
(cryptographic secret. ) S
33 -329.8 M
gsave
0 setgray
newpath
33.0 -329.77005 2.75 0 360 arc
closepath
stroke
grestore
44 -333.4 M
(req-A1 message: a message sent from the client. ) S
33 -344 M
gsave
0 setgray
newpath
33.0 -343.970062 2.75 0 360 arc
closepath
stroke
grestore
44 -347.6 M
(401-B1 message: a message sent from the server as a response to req-A1 ) S
(message.) S
11 -358.2 M
gsave
0 setgray
newpath
11.0 -358.170074 2.75 0 360 arc
closepath
fill
grestore
22 -361.8 M
(Authentication verification messages: used by both peers to verify authentication results. ) S
33 -372.4 M
gsave
0 setgray
newpath
33.0 -372.370087 2.75 0 360 arc
closepath
stroke
grestore
44 -376 M
0.998197138 0 32 0 0 (req-A3 message: a message used by the client, requesting that the server authenticates and) A
44 -389.2 M
(authorizes the client. ) S
33 -399.8 M
gsave
0 setgray
newpath
33.0 -399.770111 2.75 0 360 arc
closepath
stroke
grestore
44 -403.4 M
1.03515625 0 32 0 0 (200-B4 message: a successful response used by the server, also asserting that the server is) A
44 -416.6 M
(authentic to the client at the same ) S
(time.) S
0 -440.8 M
3.00610352 0 32 0 0 (In addition to above, either a request or a response without any HTTP headers related to this) A
0 -454 M
(specification will be hereafter called a "normal request" or a "normal response", respectively. ) S
0 -465 M
[/View [/XYZ -4 291.999847 null] /Dest /12 /DEST pdfmark
0 -465 M
[/View [/XYZ -4 291.999847 null] /Dest /13 /DEST pdfmark
0 -480.6 M
13 2 Nf
(2.2.) S
[/View [/XYZ -4 291.999847 null] /Dest /154 /DEST pdfmark
( Typical Flows of the ) S
(protocol) S
0 -504.8 M
11 0 Nf
0.118336394 0 32 0 0 (In the typical case, a first client access to a resource protected by the Mutual authentication will follow) A
0 -518 M
(the following protocol ) S
(sequence.) S
0 -529 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -540 M
[/View [/XYZ -4 216.999817 null] /Dest /14 /DEST pdfmark
0 -550.8 M
%%IncludeResource: font Courier
9.0 4 Nf
( Client Server) S
0 -561.6 M
( | |) S
0 -572.4 M
( | ---- \(1\) normal request ---------> |) S
0 -583.2 M
( GET / HTTP/1.1 |) S
0 -594 M
( | |) S
0 -604.8 M
( | <------------------ \(2\) 401-B0 --- |) S
0 -615.6 M
( | 401 Authentication Required) S
0 -626.4 M
( | WWW-Authenticate: Mutual realm="a realm") S
0 -637.2 M
( | |) S
0 -648 M
([user, | |) S
0 -658.8 M
( pass]-->| |) S
0 -669.6 M
( | ---- \(3\) req-A1 -----------------> |) S
0 -669.6 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 5 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 6 6
%%PageResources: font Times-Roman Times-Bold Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -10.8 M
%%IncludeResource: font Courier
9.0 4 Nf
( GET / HTTP/1.1 |) S
0 -21.6 M
9.0 4 Nf
( Authorization: Mutual user="john", |--> [user DB]) S
0 -32.4 M
( wa="...", ... |<-- [user info]) S
0 -43.2 M
( | |) S
0 -54 M
( | <------------------ \(4\) 401-B1 --- |) S
0 -64.8 M
( | 401 Authentication Required) S
0 -75.6 M
( | WWW-Authenticate: Mutual sid=..., wb="...", ...) S
0 -86.4 M
( | |) S
0 -97.2 M
( [compute] \(5\) compute session secret [compute]) S
0 -108 M
( | |) S
0 -118.8 M
( | |) S
0 -129.6 M
( | ---- \(6\) req-A3 -----------------> |) S
0 -140.4 M
( GET / HTTP/1.1 |--> [verify \(6\)]) S
0 -151.2 M
( Authorization: Mutual sid=..., |<-- OK) S
0 -162 M
( oa="...", ... |) S
0 -172.8 M
( | |) S
0 -183.6 M
( | <------------------ \(7\) 200-B4 --- |) S
0 -194.4 M
([verify | 200 OK |) S
0 -205.2 M
( \(7\)]<--| Authentication-Info: Mutual ob="...") S
0 -216 M
( | |) S
0 -226.8 M
( v v) S
114 -249.7 M
%%IncludeResource: font Times-Bold
7.63889 2 Nf
(\240Figure\2401: Typical communication flow on the first access to ) S
(resource\240) S
0 -263.6 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
11 -284.2 M
gsave
0 setgray
newpath
11.0 -284.218689 2.75 0 360 arc
closepath
fill
grestore
22 -287.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
2.0859375 0 32 0 0 (As usual in general HTTP protocol design, a client will first request a resource without any) A
22 -301 M
1.54036462 0 32 0 0 (authentication attempt \(1\). If the requested resource is protected by the Mutual authentication,) A
22 -314.2 M
(The server will respond with a message requesting authentication \(401-B0\) \(2\). ) S
11 -324.8 M
gsave
0 setgray
newpath
11.0 -324.818726 2.75 0 360 arc
closepath
fill
grestore
22 -328.4 M
1.41623259 0 32 0 0 (The client processes the body of the message, and wait a user for inputing a user name and a) A
22 -341.6 M
1.76513672 0 32 0 0 (password. If the user name and a password is available, The client will send a message with) A
22 -354.8 M
(authenticated key exchange \(req-A1\) to start authentication \(3\). ) S
11 -365.4 M
gsave
0 setgray
newpath
11.0 -365.418762 2.75 0 360 arc
closepath
fill
grestore
22 -369 M
0.694393396 0 32 0 0 (If the server has received a req-A1 message, The server looks up its user database for the user's) A
22 -382.2 M
1.234375 0 32 0 0 (authentication information. Then the server creates a new session identifier \(sid\) which will be) A
22 -395.4 M
1.95117188 0 32 0 0 (used to identify sets of following messages, and responds back a message with a server-side) A
22 -408.6 M
(authenticated key exchange value\(401-B1\) \(4\). ) S
11 -419.2 M
gsave
0 setgray
newpath
11.0 -419.218811 2.75 0 360 arc
closepath
fill
grestore
22 -422.8 M
0.268798828 0 32 0 0 (At this point \(5\), both peers calculate a shared "session secret" using the exchanged values in key) A
22 -436 M
2.8314302 0 32 0 0 (exchange messages. Only when both the server and the client have used secret credentials) A
22 -449.2 M
0.665178597 0 32 0 0 (generated from the same password, the session secret values will match. This session secret will) A
22 -462.4 M
(be used for the actual access authentication after this point. ) S
11 -473 M
gsave
0 setgray
newpath
11.0 -473.01886 2.75 0 360 arc
closepath
fill
grestore
22 -476.6 M
0.719050467 0 32 0 0 (The client will send a request with a client-side authentication challenge \(req-A3\) \(6\), generated) A
22 -489.8 M
1.06875 0 32 0 0 (from the client-own session secret. The server will check the validity of the challenge using its) A
22 -503 M
(own session secret. ) S
11 -513.6 M
gsave
0 setgray
newpath
11.0 -513.618896 2.75 0 360 arc
closepath
fill
grestore
22 -517.2 M
1.06176758 0 32 0 0 (If the challenge from the client was correct, it means that the client certainly owns a credential) A
22 -530.4 M
0.106370196 0 32 0 0 (based on the expected password \(i.e. the client authentication succeeded.\) The server will respond) A
22 -543.6 M
0.163225442 0 32 0 0 (with a successful message \(200-B4\) \(7\). On the contrary to the usual one-way authentication \(e.g.) A
22 -556.8 M
4.11896324 0 32 0 0 (HTTP Basic authentication or POP APOP authentication\), This message also contains a) A
22 -570 M
(server-side authentication challenge. ) S
22 -583.2 M
4.56796885 0 32 0 0 (When the client's challenge was incorrect \(e.g.\240because the user-supplied password was) A
22 -596.4 M
(incorrect\), the server will respond with the 401-B0 message \(used in \(2\)\) instead. ) S
11 -607 M
gsave
0 setgray
newpath
11.0 -607.019 2.75 0 360 arc
closepath
fill
grestore
22 -610.6 M
0.552283645 0 32 0 0 (The client MUST first check validity of the server-side authentication challenge contained in the) A
22 -623.8 M
3.79597354 0 32 0 0 (message \(7\). If the challenge was equal to the expected value, the server authentication) A
22 -637 M
(succeeded. ) S
22 -650.2 M
0.0620404407 0 32 0 0 (If it is not the value expected, or if the message does not contain authentication challenge value, it) A
22 -663.4 M
1.23227167 0 32 0 0 (means that the mutual authentication has been broken for some unexpected reasons. The client) A
22 -663.4 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 6 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 7 7
%%PageResources: font Times-Roman Times-Bold Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.619140625 0 32 0 0 (MUST\240NOT process any body and header values contained in this case. \(Note: This case should) A
22 -26.4 M
11 0 Nf
(not happen between a correctly-implemented server and a client.\) ) S
0 -37.4 M
[/View [/XYZ -4 719.6 null] /Dest /15 /DEST pdfmark
0 -37.4 M
[/View [/XYZ -4 719.6 null] /Dest /16 /DEST pdfmark
0 -53 M
%%IncludeResource: font Times-Bold
13 2 Nf
(2.3.) S
[/View [/XYZ -4 719.6 null] /Dest /155 /DEST pdfmark
( Alternative ) S
(flows) S
0 -77.2 M
11 0 Nf
0.648737967 0 32 0 0 (As shown above, the typical flow for first authenticated request requires three request-response pairs.) A
0 -90.4 M
1.42427886 0 32 0 0 (To reduce the protocol overhead, the protocol enables several short-cut flows which requires fewer ) A
0 -103.6 M
(messages.) S
11 -124.2 M
gsave
0 setgray
newpath
11.0 -124.169991 2.75 0 360 arc
closepath
fill
grestore
22 -127.8 M
1.51855469 0 32 0 0 (\(case A\) If the client knows that the resource is likely to require the authentication, the client) A
22 -141 M
1.86914062 0 32 0 0 (MAY omit first unauthenticated request \(1\) and send req-A1 message immediately. This will) A
22 -154.2 M
(reduce one round-trip of messages. ) S
11 -164.8 M
gsave
0 setgray
newpath
11.0 -164.769989 2.75 0 360 arc
closepath
fill
grestore
22 -168.4 M
0.099724263 0 32 0 0 (\(case B\) If both the client and the server previously shared a session secret associated with a valid) A
22 -181.6 M
1.47070312 0 32 0 0 (session identifier \(sid\), the client MAY directly send a req-A3 message using existing sid and) A
22 -194.8 M
(corresponding session secret. This will further reduce one round-trip of the messages. ) S
22 -208 M
0.252604157 0 32 0 0 (In such cases, the server MAY have been thrown out the corresponding sessions from the session) A
22 -221.2 M
0.525390625 0 32 0 0 (table. In this case, the server will send a 401-B0-stale message as a response to req-A3 message,) A
22 -234.4 M
0.251116067 0 32 0 0 (indicating a new key exchange is required. The client SHOULD retry from constructing a req-A1) A
22 -247.6 M
(message in this case. ) S
0 -271.8 M
gsave
newpath
0 -272.9 M
36.9609375 0 RL
stroke
grestore
1.12286937 0 32 0 0 (Figure\2402) A
[/Rect [-1.0 -274.55 37.9609375 -262.449982] /Subtype /Link /Border [0 0 0] /Dest /17 /ANN pdfmark
1.12286937 0 32 0 0 ( depicts the shortcut flows described above. Under appropriate setting and implementations,) A
0 -285 M
1.0512408 0 32 0 0 (most of the requests to resources are expected to meet both criteria, and thus only one round-trip of) A
0 -298.2 M
(request/response will be required for most cases. ) S
0 -309.2 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -320.2 M
[/View [/XYZ -4 436.8 null] /Dest /17 /DEST pdfmark
0 -331 M
%%IncludeResource: font Courier
9.0 4 Nf
( \(A\) omit first request) S
0 -341.8 M
( \(2 round trips\)) S
0 -363.4 M
( Client Server) S
0 -374.2 M
( | |) S
0 -385 M
( | --- req-A1 ----> |) S
0 -395.8 M
( | |) S
0 -406.6 M
( | <---- 401-B1 --- |) S
0 -417.4 M
( | |) S
0 -428.2 M
( | --- req-A3 ----> |) S
0 -439 M
( | |) S
0 -449.8 M
( | <---- 200-B4 --- |) S
0 -460.6 M
( | |) S
0 -493 M
( \(B\) reusing session secret) S
0 -514.6 M
( \(B-1\) key available \(B-2\) key expired) S
0 -525.4 M
( \(1 round trip\) \(3 round trips\)) S
0 -547 M
( Client Server Client Server) S
0 -557.8 M
( | | | |) S
0 -568.6 M
( | --- req-A3 ----> | | --- req-A3 ----------> |) S
0 -579.4 M
( | | | |) S
0 -590.2 M
( | <---- 200-B4 --- | | <---- 401-B0-stale --- |) S
0 -601 M
( | | | |) S
0 -611.8 M
( | --- req-A1 ----------> |) S
0 -622.6 M
( | |) S
0 -633.4 M
( | <---------- 401-B1 --- |) S
0 -644.2 M
( | |) S
0 -644.2 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 7 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 8 8
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -10.8 M
%%IncludeResource: font Courier
9.0 4 Nf
( | --- req-A3 ----------> |) S
0 -21.6 M
9.0 4 Nf
( | |) S
0 -32.4 M
( | <---------- 200-B4 --- |) S
0 -43.2 M
( | |) S
143.6 -66.1 M
%%IncludeResource: font Times-Bold
7.63889 2 Nf
(\240Figure\2402: Several alternative flows on the ) S
(protocol\240) S
0 -80 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -104.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(For more details, see ) S
gsave
newpath
94.4 -105.3 M
41.2382812 0 RL
stroke
grestore
(Section\2408) S
[/Rect [93.3710938 -106.998611 136.609375 -94.898613] /Subtype /Link /Border [0 0 0] /Dest /57 /ANN pdfmark
( and ) S
gsave
newpath
157 -105.3 M
41.2382812 0 RL
stroke
grestore
(Section\2409) S
[/Rect [155.992188 -106.998611 199.230469 -94.898613] /Subtype /Link /Border [0 0 0] /Dest /60 /ANN pdfmark
(. ) S
0 -115.2 M
[/View [/XYZ -4 641.751404 null] /Dest /18 /DEST pdfmark
0 -115.2 M
[/View [/XYZ -4 641.751404 null] /Dest /19 /DEST pdfmark
0 -134.2 M
15 2 Nf
(3.) S
[/View [/XYZ -4 640.751404 null] /Dest /156 /DEST pdfmark
( Message ) S
(Syntax) S
0 -158.4 M
11 0 Nf
1.15234375 0 32 0 0 (The Mutual authentication protocol uses five headers: WWW-Authenticate \(in responses with status) A
0 -171.6 M
10.9365234 0 32 0 0 (code 401\), Optional-WWW-Authenticate \(in responses with non-401 status codes\),) A
0 -184.8 M
4.60009766 0 32 0 0 (Authentication-Control \(in responses\), Authorization \(in requests\), and Authentication-Info \(in) A
0 -198 M
0.743229151 0 32 0 0 (responses other than 401 status\). These headers follow a common framework of the one described in ) A
0 -211.2 M
gsave
newpath
0 -212.3 M
50.1054688 0 RL
stroke
grestore
1.65564907 0 32 0 0 ([RFC2617]) A
[/Rect [-1.0 -213.998596 51.1054688 -201.89859] /Subtype /Link /Border [0 0 0] /Dest /114 /ANN pdfmark
1.65564907 0 32 0 0 ( [Editorial Note: to be httpbis-p7]. The detailed syntax definitions for these headers are) A
0 -224.4 M
(contained in ) S
gsave
newpath
56.8 -225.5 M
41.2382812 0 RL
stroke
grestore
(Section\2404) S
[/Rect [55.8125 -227.198593 99.0507812 -215.098587] /Subtype /Link /Border [0 0 0] /Dest /27 /ANN pdfmark
(. ) S
0 -248.6 M
0.557552099 0 32 0 0 (These headers use some common syntax elements described in ) A
gsave
newpath
284.5 -249.7 M
36.9609375 0 RL
stroke
grestore
0.557552099 0 32 0 0 (Figure\2403) A
[/Rect [283.457031 -251.39859 322.417969 -239.298584] /Subtype /Link /Border [0 0 0] /Dest /20 /ANN pdfmark
0.557552099 0 32 0 0 (. The syntax is denoted in the) A
0 -261.8 M
(augmented BNF syntax defined in ) S
gsave
newpath
153.6 -262.9 M
50.1054688 0 RL
stroke
grestore
([RFC5234]) S
[/Rect [152.648438 -264.598602 204.753906 -252.498596] /Subtype /Link /Border [0 0 0] /Dest /107 /ANN pdfmark
(. ) S
0 -272.8 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -283.8 M
[/View [/XYZ -4 473.151398 null] /Dest /20 /DEST pdfmark
0 -294.6 M
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(auth-scheme) S
9.0 4 Nf
( = "Mutual" ) S
9.0 5 Nf
(; see HTTP for other values) S
0 -305.4 M
9.0 4 Nf
( ) S
9.0 5 Nf
(extension-field) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(extension-token) S
9.0 4 Nf
( "=" ) S
9.0 5 Nf
(value) S
0 -316.2 M
9.0 4 Nf
( ) S
9.0 5 Nf
(token) S
9.0 4 Nf
( = 1*\(%x30-39 / %x41-5A / %x61-7A / "-" / "_"\)) S
0 -327 M
9.0 4 Nf
( ) S
9.0 5 Nf
(extensive-token) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(token) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(extension-token) S
0 -337.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(extension-token) S
9.0 4 Nf
( = "-" ) S
9.0 5 Nf
(token) S
9.0 4 Nf
( 1*\("." ) S
9.0 5 Nf
(token) S
9.0 4 Nf
(\)) S
0 -348.6 M
9.0 4 Nf
( ) S
9.0 5 Nf
(value) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(extensive-token) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(integer) S
0 -359.4 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(hex-fixed-number) S
0 -370.2 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(base64-fixed-number) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(string) S
0 -381 M
9.0 4 Nf
( ) S
9.0 5 Nf
(integer) S
9.0 4 Nf
( = "0" / \(%x31-39 *%x30-39\) ) S
9.0 5 Nf
(; no leading zeros) S
0 -391.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(hex-fixed-number) S
9.0 4 Nf
( = 1*\(%x30-39 / %x41-46 / %x61-66\)) S
0 -402.6 M
9.0 4 Nf
( ) S
9.0 5 Nf
(base64-fixed-number) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(string) S
0 -413.4 M
9.0 4 Nf
( ) S
9.0 5 Nf
(string) S
9.0 4 Nf
( = %x22 *\(%x20-21 / %x23-5B / %x5D-FF) S
0 -424.2 M
( / %x5C.22 / "\\\\"\) %x22) S
0 -435 M
9.0 4 Nf
( ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( = 1*\(" " / %x09\)) S
108.9 -458 M
7.63889 2 Nf
(\240Figure\2403: the BNF syntax for the common elements used in the ) S
(protocol\240) S
0 -471.9 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -482.9 M
[/View [/XYZ -4 274.102966 null] /Dest /21 /DEST pdfmark
0 -482.9 M
[/View [/XYZ -4 274.102966 null] /Dest /22 /DEST pdfmark
0 -498.5 M
13 2 Nf
(3.1.) S
[/View [/XYZ -4 274.102966 null] /Dest /157 /DEST pdfmark
( Tokens and ) S
(Extensive-tokens) S
0 -522.7 M
11 0 Nf
1.84525239 0 32 0 0 (The tokens are case insensitive; Senders should SHOULD send these in lower-case, and receivers) A
0 -535.9 M
1.17431641 0 32 0 0 (MUST accept both upper- and lower-cases. When tokens are used as \(partial\) inputs to any hash or) A
0 -549.1 M
1.16376197 0 32 0 0 (other mathematical functions, it MUST always be used in lower-case. All hexadecimal numbers are) A
0 -562.3 M
(also case-insensitive, and SHOULD be sent in lower-case. ) S
0 -586.5 M
4.59314919 0 32 0 0 (Extensive-tokens are used in this protocol where the set of acceptable tokens may include) A
0 -599.7 M
7.67656231 0 32 0 0 (non-standard extensions. Any non-standard extensions of this protocol MUST use the) A
0 -612.9 M
1.66015625 0 32 0 0 (extension-tokens of format "-<token>.<domain-name>", where domain-name is a validly registered) A
0 -626.1 M
(\(sub-\)domain name on the Internet owned by the party who defines extensions. ) S
0 -637.1 M
[/View [/XYZ -4 119.902893 null] /Dest /23 /DEST pdfmark
0 -637.1 M
[/View [/XYZ -4 119.902893 null] /Dest /24 /DEST pdfmark
0 -637.1 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 8 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 9 9
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -15.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(3.2.) S
[/View [/XYZ -4 757.0 null] /Dest /158 /DEST pdfmark
( ) S
(Numbers) S
0 -39.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The syntax definition of integers only allows representations which do not contain extra leading zeros. ) S
0 -64 M
0.460637033 0 32 0 0 (The numbers represented as a hex-fixed-number MUST have even number of characters \(i.e. multiple) A
0 -77.2 M
2.90264416 0 32 0 0 (of eight bits\). When these are generated from cryptographic values, those SHOULD have their) A
0 -90.4 M
0.104947917 0 32 0 0 ("natural length": if these are generated from a hash function, these lengths SHOULD correspond to the) A
0 -103.6 M
0.373535156 0 32 0 0 (hash size; if these are representing elements of a mathematical set \(or group\), its lengths SHOULD be) A
0 -116.8 M
1.5773437 0 32 0 0 (the shortest which can represent all elements in the set. See ) A
gsave
newpath
280.6 -117.9 M
53.4648438 0 RL
stroke
grestore
1.5773437 0 32 0 0 (Appendix\240C) A
[/Rect [279.574219 -119.549988 335.039062 -107.449989] /Subtype /Link /Border [0 0 0] /Dest /125 /ANN pdfmark
1.5773437 0 32 0 0 ( for information about the) A
0 -130 M
2.51207376 0 32 0 0 (length of the fields used in this specification. Session-identifiers and other non-cryptographically) A
0 -143.2 M
0.0307617188 0 32 0 0 (generated values are represented in any \(even\) length determined by the side who generates it first, and) A
0 -156.4 M
(the same length SHALL be used throughout the whole communications by both peers. ) S
0 -180.6 M
1.51595056 0 32 0 0 (Numbers represented as base64-fixed-number SHALL be generated as follows: first, the number is) A
0 -193.8 M
0.341947109 0 32 0 0 (converted to a big-endian octet-string representation. The length of the representation is determined in) A
0 -207 M
0.598115802 0 32 0 0 (the same way as above. Then, the string is encoded by ) A
gsave
newpath
248.2 -208.1 M
55.8607521 0 RL
stroke
grestore
0.598115802 0 32 0 0 (the Base 64 ) A
gsave
newpath
304 -208.1 M
40.3203125 0 RL
stroke
grestore
0.598115802 0 32 0 0 (encoding) A
[/Rect [247.175781 -209.749969 345.355469 -197.649963] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
0.598115802 0 32 0 0 ( [RFC4648] without any) A
0 -220.2 M
(spaces and newlines, and then enclosed by two double-quotations. ) S
0 -231.2 M
[/View [/XYZ -4 525.800049 null] /Dest /25 /DEST pdfmark
0 -231.2 M
[/View [/XYZ -4 525.800049 null] /Dest /26 /DEST pdfmark
0 -246.8 M
13 2 Nf
(3.3.) S
[/View [/XYZ -4 525.800049 null] /Dest /159 /DEST pdfmark
( ) S
(Strings) S
0 -271 M
11 0 Nf
2.38251209 0 32 0 0 (All strings outside ASCII or equivalent character sets MUST be encoded using ) A
gsave
newpath
378.6 -272.1 M
35.0661049 0 RL
stroke
grestore
2.38251209 0 32 0 0 (UTF-8 ) A
gsave
newpath
413.6 -272.1 M
40.3203125 0 RL
stroke
grestore
2.38251209 0 32 0 0 (encoding) A
[/Rect [377.570312 -273.75 454.953125 -261.65] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
0 -284.2 M
0.732244313 0 32 0 0 ([RFC3629] of the ) A
gsave
newpath
83.1 -285.3 M
105.110794 0 RL
stroke
grestore
0.732244313 0 32 0 0 (ISO 10646-1 character ) A
gsave
newpath
188.2 -285.3 M
12.2148438 0 RL
stroke
grestore
0.732244313 0 32 0 0 (set) A
[/Rect [82.1445312 -286.95 201.464844 -274.85] /Subtype /Link /Border [0 0 0] /Dest /110 /ANN pdfmark
0.732244313 0 32 0 0 ( [ISO.10646-1.1993]. Both peers are RECOMMENDED) A
0 -297.4 M
0.984375 0 32 0 0 (to reject any invalid UTF-8 sequences which cause decoding ambiguities \(e.g. containing <"> in the) A
0 -310.6 M
(second or later byte of the UTF-8 encoded characters\). ) S
0 -334.8 M
0.744010389 0 32 0 0 (To encode character strings to header values, these will first be encoded according to UTF-8 without) A
0 -348 M
0.963867188 0 32 0 0 (leading BOM, then all occurrences of characters <"> and "\\" will be escaped by prepending "\\", and) A
0 -361.2 M
0.8359375 0 32 0 0 (two <">s will be put around the string. These escaping backslashes and enclosing quotes SHALL be) A
0 -374.4 M
(removed before any processing other than using them in header fields. ) S
0 -398.6 M
1.56110489 0 32 0 0 (If strings are representing a domain name or URI which contains non-ASCII characters, host parts) A
0 -411.8 M
1.73322606 0 32 0 0 (SHOULD be encoded as it is used in the HTTP protocol layer \(e.g.\240in a Host: header\); in current) A
0 -425 M
(standard it will be the one defined in ) S
gsave
newpath
163.7 -426.1 M
50.1054688 0 RL
stroke
grestore
([RFC5890]) S
[/Rect [162.710938 -427.750122 214.816406 -415.650116] /Subtype /Link /Border [0 0 0] /Dest /118 /ANN pdfmark
(. It SHOULD use lower-case ASCII characters. ) S
0 -449.2 M
(For base64-fixed-numbers, which use the string syntax, see the previous section. ) S
0 -460.2 M
[/View [/XYZ -4 296.799866 null] /Dest /27 /DEST pdfmark
0 -460.2 M
[/View [/XYZ -4 296.799866 null] /Dest /28 /DEST pdfmark
0 -479.2 M
15 2 Nf
(4.) S
[/View [/XYZ -4 295.799866 null] /Dest /160 /DEST pdfmark
( ) S
(Messages) S
0 -503.4 M
11 0 Nf
1.7179687 0 32 0 0 (In this section we define seven kinds of messages used in the authentication protocol, Along with) A
0 -516.6 M
(formats and requirements of the headers for each message. ) S
0 -540.8 M
(To determine which message are expected to be sent, see ) S
gsave
newpath
253.8 -541.9 M
41.2382812 0 RL
stroke
grestore
(Section\2408) S
[/Rect [252.785156 -543.550171 296.023438 -531.450195] /Subtype /Link /Border [0 0 0] /Dest /57 /ANN pdfmark
( and ) S
gsave
newpath
316.4 -541.9 M
41.2382812 0 RL
stroke
grestore
(Section\2409) S
[/Rect [315.40625 -543.550171 358.644531 -531.450195] /Subtype /Link /Border [0 0 0] /Dest /60 /ANN pdfmark
(.) S
0 -565 M
0.0459558815 0 32 0 0 (In the descriptions below, the allowed type of values for each header field is shown in parenthesis after) A
0 -578.2 M
0.716406226 0 32 0 0 (the key names. The type "algorithm-determined" means that the acceptable value type for the field is) A
0 -591.4 M
1.45611215 0 32 0 0 (one of the types defined in ) A
gsave
newpath
128.4 -592.5 M
41.2382812 0 RL
stroke
grestore
1.45611215 0 32 0 0 (Section\2403) A
[/Rect [127.449219 -594.150208 170.6875 -582.050232] /Subtype /Link /Border [0 0 0] /Dest /18 /ANN pdfmark
1.45611215 0 32 0 0 (, and is determined by the value of the "algorithm" field. The) A
0 -604.6 M
4.72536039 0 32 0 0 (fields marked as "mandatory" SHALL be contained in the message. The fields marked as) A
0 -617.8 M
("non-mandatory" MAY either be contained or omitted in the message. ) S
0 -628.8 M
[/View [/XYZ -4 128.199768 null] /Dest /29 /DEST pdfmark
0 -628.8 M
[/View [/XYZ -4 128.199768 null] /Dest /30 /DEST pdfmark
0 -628.8 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 9 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 10 10
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -15.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(4.1.) S
[/View [/XYZ -4 757.0 null] /Dest /161 /DEST pdfmark
( ) S
(401-B0) S
0 -39.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.926106751 0 32 0 0 (Every 401-B0 message SHALL be a valid HTTP 401 \(Authentication Required\) message containing) A
0 -53 M
1.81217444 0 32 0 0 (one \(and only one: hereafter not explicitly noticed\) "WWW-Authenticate" header of the following) A
0 -66.2 M
(format. ) S
0 -90.4 M
13.2421875 0 32 0 0 (WWW-Authenticate: Mutual algorithm=xxxx, validation=xxxx, realm="xxxx", stale=0,) A
0 -103.6 M
(version=-draft07 ) S
0 -114.6 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -125.6 M
[/View [/XYZ -4 631.4 null] /Dest /31 /DEST pdfmark
0 -136.4 M
%%IncludeResource: font Courier
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(header-401-B0) S
9.0 4 Nf
( = "WWW-Authenticate" ":" [) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(]) S
0 -147.2 M
9.0 4 Nf
( ) S
9.0 5 Nf
(auth-scheme) S
9.0 4 Nf
( ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(fields-401-B0) S
0 -158 M
9.0 4 Nf
( ) S
9.0 5 Nf
(fields-401-B0) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(field-401-B0) S
9.0 4 Nf
( *\([) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(] "," ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(field-401-B0) S
9.0 4 Nf
(\)) S
0 -168.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(field-401-B0) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(version) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(algorithm) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(validation) S
0 -179.6 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(auth-domain) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(realm) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(pwd-hash) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(stale) S
0 -190.4 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(extension-field) S
0 -201.2 M
9.0 4 Nf
( ) S
9.0 5 Nf
(version) S
9.0 4 Nf
( = "version" "=" ) S
9.0 5 Nf
(extensive-token) S
0 -212 M
9.0 4 Nf
( ) S
9.0 5 Nf
(algorithm) S
9.0 4 Nf
( = "algorithm" "=" ) S
9.0 5 Nf
(extensive-token) S
0 -222.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(validation) S
9.0 4 Nf
( = "validation" "=" ) S
9.0 5 Nf
(extensive-token) S
0 -233.6 M
9.0 4 Nf
( ) S
9.0 5 Nf
(auth-domain) S
9.0 4 Nf
( = "auth-domain" "=" ) S
9.0 5 Nf
(string) S
0 -244.4 M
9.0 4 Nf
( ) S
9.0 5 Nf
(realm) S
9.0 4 Nf
( = "realm" "=" ) S
9.0 5 Nf
(string) S
0 -255.2 M
9.0 4 Nf
( ) S
9.0 5 Nf
(pwd-hash) S
9.0 4 Nf
( = "pwd-hash" "=" ) S
9.0 5 Nf
(extensive-token) S
0 -266 M
9.0 4 Nf
( ) S
9.0 5 Nf
(stale) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(token) S
131.2 -288.9 M
7.63889 2 Nf
(\240Figure\2404: the BNF syntax for the header in 401-B0 ) S
(header\240) S
0 -302.8 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -327 M
11 0 Nf
1.04036462 0 32 0 0 (The header SHALL contain all of the fields marked as "mandatory" below, and MAY contain those) A
0 -340.2 M
(marked as "non-mandatory". ) S
11 -364.4 M
(version: ) S
33 -377.6 M
3.60546875 0 32 0 0 (\(mandatory extensive-token\) should be the token "-draft07" in this specification. The) A
33 -390.8 M
(behavior when other values are specified is undefined. ) S
11 -404 M
(algorithm: ) S
33 -417.2 M
1.87656248 0 32 0 0 (\(mandatory extensive-token\) specifies the authentication algorithm to be used. The value) A
33 -430.4 M
2.93052459 0 32 0 0 (MUST be one of the tokens described in ) A
gsave
newpath
237.3 -431.5 M
46.7382812 0 RL
stroke
grestore
2.93052459 0 32 0 0 (Section\24011) A
[/Rect [236.261719 -433.19873 285.0 -421.098724] /Subtype /Link /Border [0 0 0] /Dest /71 /ANN pdfmark
2.93052459 0 32 0 0 (, or the tokens specified in other) A
33 -443.6 M
(supplemental specification documentations. ) S
11 -456.8 M
(validation: ) S
33 -470 M
1.34339488 0 32 0 0 (\(mandatory extensive-token\) specifies the method of host validation. The value MUST be) A
33 -483.2 M
2.42818499 0 32 0 0 (one of the tokens described in ) A
gsave
newpath
181.9 -484.3 M
41.2382812 0 RL
stroke
grestore
2.42818499 0 32 0 0 (Section\2407) A
[/Rect [180.945312 -485.998779 224.183594 -473.898773] /Subtype /Link /Border [0 0 0] /Dest /55 /ANN pdfmark
2.42818499 0 32 0 0 (, or the tokens specified in other supplemental) A
33 -496.4 M
(specification documentations. ) S
11 -509.6 M
(auth-domain: ) S
33 -522.8 M
5.11171865 0 32 0 0 (\(non-mandatory string\) specifies authentication domain, the set of hosts on which) A
33 -536 M
0.424107134 0 32 0 0 (authentication credentials are valid. It MUST be one of the strings described in ) A
gsave
newpath
388.5 -537.1 M
41.2382812 0 RL
stroke
grestore
0.424107134 0 32 0 0 (Section\2405) A
[/Rect [387.488281 -538.798828 430.726562 -526.698853] /Subtype /Link /Border [0 0 0] /Dest /49 /ANN pdfmark
0.424107134 0 32 0 0 (. If) A
33 -549.2 M
(the value is omitted, it is assumed to be the host part of the requested URI. ) S
11 -562.4 M
(realm: ) S
33 -575.6 M
1.43652344 0 32 0 0 (\(mandatory string\) is a UTF-8 encoded string representing the name of the authentication) A
33 -588.8 M
(realm inside the authentication domain. ) S
11 -602 M
(pwd-hash: ) S
33 -615.2 M
1.1789062 0 32 0 0 (\(non-mandatory extensive-token\) specifies the hash algorithm \(hereafter referred to by ph\)) A
33 -628.4 M
(used for additionally hashing the password. The valid tokens are ) S
44 -639 M
gsave
0 setgray
newpath
44.0 -639.018921 2.75 0 360 arc
closepath
fill
grestore
55 -642.6 M
(none: ph\(p\) = p ) S
44 -653.2 M
gsave
0 setgray
newpath
44.0 -653.218933 2.75 0 360 arc
closepath
fill
grestore
55 -656.8 M
(md5: ph\(p\) = MD5\(p\) ) S
44 -667.4 M
gsave
0 setgray
newpath
44.0 -667.418945 2.75 0 360 arc
closepath
fill
grestore
55 -671 M
0.602050781 0 32 0 0 (digest-md5: ph\(p\) = MD5\(username | ":" | realm | ":" | p\), the same value as MD5\(A1\)) A
55 -671 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 10 -) S
0 setgray
110 -8 M
grestore
pgsave restore N
%%Page: 11 11
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
55 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(for "MD5" algorithm in ) S
gsave
newpath
162.3 -14.3 M
50.1054688 0 RL
stroke
grestore
([RFC2617]) S
[/Rect [161.324219 -15.9500008 213.429688 -3.85000038] /Subtype /Link /Border [0 0 0] /Dest /114 /ANN pdfmark
(. ) S
44 -23.8 M
gsave
0 setgray
newpath
44.0 -23.77 2.75 0 360 arc
closepath
fill
grestore
55 -27.4 M
11 0 Nf
(sha1: ph\(p\) = ) S
(SHA1\(p\)) S
33 -40.6 M
(If omitted, the value "none" is assumed. The use of "none" is recommended. ) S
11 -53.8 M
(stale: ) S
33 -67 M
(\(mandatory token\) MUST be "0". ) S
0 -91.2 M
0.205193013 0 32 0 0 (The algorithm specified in this header will determine the types and the values for w_A, w_B, o_A and) A
0 -104.4 M
(o_B. ) S
0 -115.4 M
[/View [/XYZ -4 641.6 null] /Dest /32 /DEST pdfmark
0 -115.4 M
[/View [/XYZ -4 641.6 null] /Dest /33 /DEST pdfmark
0 -131 M
%%IncludeResource: font Times-Bold
13 2 Nf
(4.2.) S
[/View [/XYZ -4 641.6 null] /Dest /162 /DEST pdfmark
( ) S
(401-B0-stale) S
0 -155.2 M
11 0 Nf
0.116268381 0 32 0 0 (A 401-B0-stale message is a variant of 401-B0 message, which means that the client has sent a request) A
0 -168.4 M
(message which is not for any active session. ) S
0 -192.6 M
13.2421875 0 32 0 0 (WWW-Authenticate: Mutual algorithm=xxxx, validation=xxxx, realm="xxxx", stale=1,) A
0 -205.8 M
(version=-draft07 ) S
0 -230 M
(The header MUST contain the same fields as in 401-B0, except that stale field holds the token 1. ) S
0 -241 M
[/View [/XYZ -4 516.0 null] /Dest /34 /DEST pdfmark
0 -241 M
[/View [/XYZ -4 516.0 null] /Dest /35 /DEST pdfmark
0 -256.6 M
13 2 Nf
(4.3.) S
[/View [/XYZ -4 516.0 null] /Dest /163 /DEST pdfmark
( ) S
(req-A1) S
0 -280.8 M
11 0 Nf
0.285456717 0 32 0 0 (Every req-A1 message SHALL be a valid HTTP request message containing a "Authorization" header) A
0 -294 M
(of the following format. ) S
0 -318.2 M
4.32682276 0 32 0 0 (Authorization: Mutual algorithm=xxxx, validation=xxxx, realm="xxxx", user="xxxx", wa=xxxx,) A
0 -331.4 M
(version=-draft07 ) S
0 -342.4 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -353.4 M
[/View [/XYZ -4 403.599976 null] /Dest /36 /DEST pdfmark
0 -364.2 M
%%IncludeResource: font Courier
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(header-req-A1) S
9.0 4 Nf
( = "Authorization" ":" [) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(]) S
0 -375 M
9.0 4 Nf
( ) S
9.0 5 Nf
(auth-scheme) S
9.0 4 Nf
( ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(fields-req-A1) S
0 -385.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(fields-req-A1) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(field-req-A1) S
9.0 4 Nf
( *\([) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(] "," ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(field-req-A1) S
9.0 4 Nf
(\)) S
0 -396.6 M
9.0 4 Nf
( ) S
9.0 5 Nf
(field-req-A1) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(version) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(algorithm) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(validation) S
0 -407.4 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(auth-domain) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(realm) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(user) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(wa) S
0 -418.2 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(extension-field) S
0 -429 M
9.0 4 Nf
( ) S
9.0 5 Nf
(user) S
9.0 4 Nf
( = "user" "=" ) S
9.0 5 Nf
(string) S
0 -439.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(wa) S
9.0 4 Nf
( = "wa" "=" ) S
9.0 5 Nf
(value) S
129 -462.7 M
7.63889 2 Nf
(\240Figure\2405: the BNF syntax for the header in req-A1 ) S
(message\240) S
0 -476.6 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -500.8 M
11 0 Nf
(The header SHALL contain the fields with the following keys: ) S
11 -525 M
(version: ) S
33 -538.2 M
3.33046865 0 32 0 0 (\(mandatory, extensive-token\) should be the token "-draft07" in this specification. The) A
33 -551.4 M
(behavior when other values are specified is undefined. ) S
11 -564.6 M
(algorithm, validation, auth-domain, realm: ) S
33 -577.8 M
(MUST be the same value as it is received from the server. ) S
11 -591 M
(user: ) S
33 -604.2 M
(\(mandatory, string\) is the UTF-8 encoded name of the user. ) S
11 -617.4 M
(wa: ) S
33 -630.6 M
2.33476567 0 32 0 0 (\(mandatory, algorithm-determined\) is the client-side key exchange value w_A, which is) A
33 -643.8 M
(specified by the used algorithm \(see ) S
gsave
newpath
194.3 -644.9 M
46.7382812 0 RL
stroke
grestore
(Section\24011) S
[/Rect [193.257812 -646.598633 241.996094 -634.498657] /Subtype /Link /Border [0 0 0] /Dest /71 /ANN pdfmark
(\). ) S
11 -643.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 11 -) S
0 setgray
22 -8 M
grestore
pgsave restore N
%%Page: 12 12
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /37 /DEST pdfmark
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /38 /DEST pdfmark
0 -15.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(4.4.) S
[/View [/XYZ -4 757.0 null] /Dest /164 /DEST pdfmark
( ) S
(401-B1) S
0 -39.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.267728359 0 32 0 0 (Every 401-B1 message SHALL be a valid HTTP 401 \(Authentication Required\) message containing a) A
0 -53 M
("WWW-Authenticate" header of the following format. ) S
0 -77.2 M
1.6477865 0 32 0 0 (WWW-Authenticate: Mutual algorithm=xxxx, validation=xxxx, realm="xxxx", sid=xxxx, wb=xxxx,) A
0 -90.4 M
(nc-max=x, nc-window=x, time=x, path="xxxx", version=-draft07 ) S
0 -101.4 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -112.4 M
[/View [/XYZ -4 644.6 null] /Dest /39 /DEST pdfmark
0 -123.2 M
%%IncludeResource: font Courier
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(header-401-B1) S
9.0 4 Nf
( = "WWW-Authenticate" ":" [) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(]) S
0 -134 M
9.0 4 Nf
( ) S
9.0 5 Nf
(auth-scheme) S
9.0 4 Nf
( ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(fields-401-B1) S
0 -144.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(fields-401-B1) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(field-401-B1) S
9.0 4 Nf
( *\([) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(] "," ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(field-401-B1) S
9.0 4 Nf
(\)) S
0 -155.6 M
9.0 4 Nf
( ) S
9.0 5 Nf
(field-401-B1) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(version) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(algorithm) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(validation) S
0 -166.4 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(auth-domain) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(realm) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(sid) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(wb) S
0 -177.2 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(nc-max) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(nc-window) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(time) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(path) S
0 -188 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(extension-field) S
0 -198.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(sid) S
9.0 4 Nf
( = "sid" "=" ) S
9.0 5 Nf
(string) S
0 -209.6 M
9.0 4 Nf
( ) S
9.0 5 Nf
(wb) S
9.0 4 Nf
( = "wb" "=" ) S
9.0 5 Nf
(value) S
0 -220.4 M
9.0 4 Nf
( ) S
9.0 5 Nf
(nc-max) S
9.0 4 Nf
( = "nc-max" "=" ) S
9.0 5 Nf
(integer) S
0 -231.2 M
9.0 4 Nf
( ) S
9.0 5 Nf
(nc-window) S
9.0 4 Nf
( = "nc-window" "=" ) S
9.0 5 Nf
(integer) S
0 -242 M
9.0 4 Nf
( ) S
9.0 5 Nf
(time) S
9.0 4 Nf
( = "time" "=" ) S
9.0 5 Nf
(integer) S
0 -252.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(path) S
9.0 4 Nf
( = "path" "=" ) S
9.0 5 Nf
(string) S
129 -275.7 M
7.63889 2 Nf
(\240Figure\2406: the BNF syntax for the header in 401-B1 ) S
(message\240) S
0 -289.6 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -313.8 M
11 0 Nf
(The header SHALL contain the fields with the following keys: ) S
11 -338 M
(version: ) S
33 -351.2 M
3.33046865 0 32 0 0 (\(mandatory, extensive-token\) should be the token "-draft07" in this specification. The) A
33 -364.4 M
(behavior when other values are specified is undefined. ) S
11 -377.6 M
(algorithm, validation, auth-domain, realm: ) S
33 -390.8 M
(MUST be the same value as it is received from the client. ) S
11 -404 M
(sid: ) S
33 -417.2 M
1.51171875 0 32 0 0 (\(mandatory, hex-fixed-number\) MUST be a session identifier, which is a random integer.) A
33 -430.4 M
0.197753906 0 32 0 0 (The sid SHOULD have uniqueness of at least 80 bits or the square of the maximal estimated) A
33 -443.6 M
0.364182681 0 32 0 0 (transactions concurrently available in the session table, whichever is larger. Sids are local to) A
33 -456.8 M
3.1328125 0 32 0 0 (each authentication realm concerned: the same sids for different authentication realms) A
33 -470 M
(SHOULD be treated as independent ones. ) S
11 -483.2 M
(wb: ) S
33 -496.4 M
2.15195322 0 32 0 0 (\(mandatory, algorithm-determined\) is the server-side key exchange value w_B, which is) A
33 -509.6 M
(specified by the algorithm \(see ) S
gsave
newpath
171.3 -510.7 M
46.7382812 0 RL
stroke
grestore
(Section\24011) S
[/Rect [170.347656 -512.398804 219.085938 -500.298828] /Subtype /Link /Border [0 0 0] /Dest /71 /ANN pdfmark
(\). ) S
11 -522.8 M
(nc-max: ) S
33 -536 M
(\(mandatory, integer\) is the maximal value of nonce counts which S accepts. ) S
11 -549.2 M
(nc-window: ) S
33 -562.4 M
0.928185105 0 32 0 0 (\(mandatory, integer\) the number of available nonce slots which the server will accept. The) A
33 -575.6 M
(value of nc-window is RECOMMENDED to be 32 or more. ) S
11 -588.8 M
(time: ) S
33 -602 M
1.20930994 0 32 0 0 (\(mandatory, integer\) represents the suggested time \(in seconds\) which the client can reuse) A
33 -615.2 M
1.03662109 0 32 0 0 (the session represented by sid. It is RECOMMENDED to be at least 60. The value of this) A
33 -628.4 M
3.28671885 0 32 0 0 (field is not directly linked to the duration that the server keeps track of the session) A
33 -641.6 M
(represented by sid. ) S
33 -641.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 12 -) S
0 setgray
22 -8 M
grestore
pgsave restore N
%%Page: 13 13
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(path: ) S
33 -26.4 M
0.292367786 0 32 0 0 (\(non-mandatory, string\) specifies for which path in the URI space the same authentication is) A
33 -39.6 M
1.21208644 0 32 0 0 (expected to apply. The value is a space-separated list of URIs, in the same format as it is) A
33 -52.8 M
2.01136374 0 32 0 0 (specified in domain parameter ) A
gsave
newpath
177.2 -53.9 M
50.1054688 0 RL
stroke
grestore
2.01136374 0 32 0 0 ([RFC2617]) A
[/Rect [176.234375 -55.5500031 228.339844 -43.4500046] /Subtype /Link /Border [0 0 0] /Dest /114 /ANN pdfmark
2.01136374 0 32 0 0 ( for the Digest authentications, and clients are) A
33 -66 M
1.22956729 0 32 0 0 (RECOMMENDED to recognize it. The all path elements contained in the field MUST be) A
33 -79.2 M
(inside the specified auth-domain: if not, clients SHOULD ignore such elements. ) S
0 -90.2 M
[/View [/XYZ -4 666.8 null] /Dest /40 /DEST pdfmark
0 -90.2 M
[/View [/XYZ -4 666.8 null] /Dest /41 /DEST pdfmark
0 -105.8 M
%%IncludeResource: font Times-Bold
13 2 Nf
(4.5.) S
[/View [/XYZ -4 666.8 null] /Dest /165 /DEST pdfmark
( ) S
(req-A3) S
0 -130 M
11 0 Nf
0.285456717 0 32 0 0 (Every req-A3 message SHALL be a valid HTTP request message containing a "Authorization" header) A
0 -143.2 M
(of the following format. ) S
0 -167.4 M
2.18191957 0 32 0 0 (Authorization: Mutual algorithm=xxxx, validation=xxxx, realm="xxxx", sid=xxxx, nc=x, oa=xxxx,) A
0 -180.6 M
(version=-draft07 ) S
0 -191.6 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -202.6 M
[/View [/XYZ -4 554.4 null] /Dest /42 /DEST pdfmark
0 -213.4 M
%%IncludeResource: font Courier
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(header-req-A3) S
9.0 4 Nf
( = "Authorization" ":" [) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(]) S
0 -224.2 M
9.0 4 Nf
( ) S
9.0 5 Nf
(auth-scheme) S
9.0 4 Nf
( ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(fields-req-A3) S
0 -235 M
9.0 4 Nf
( ) S
9.0 5 Nf
(fields-req-A3) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(field-req-A3) S
9.0 4 Nf
( *\([) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(] "," ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(field-req-A3) S
9.0 4 Nf
(\)) S
0 -245.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(field-req-A3) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(version) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(algorithm) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(validation) S
0 -256.6 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(auth-domain) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(realm) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(sid) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(nc) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(oa) S
0 -267.4 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(extension-field) S
0 -278.2 M
9.0 4 Nf
( ) S
9.0 5 Nf
(nc) S
9.0 4 Nf
( = "nc" "=" ) S
9.0 5 Nf
(integer) S
0 -289 M
9.0 4 Nf
( ) S
9.0 5 Nf
(oa) S
9.0 4 Nf
( = "oa" "=" ) S
9.0 5 Nf
(value) S
129 -311.9 M
7.63889 2 Nf
(\240Figure\2407: the BNF syntax for the header in req-A3 ) S
(message\240) S
0 -325.8 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -350 M
11 0 Nf
(The fields contained in the header are as follows: ) S
11 -374.2 M
(version: ) S
33 -387.4 M
3.33046865 0 32 0 0 (\(mandatory, extensive-token\) should be the token "-draft07" in this specification. The) A
33 -400.6 M
(behavior when other values are specified is undefined. ) S
11 -413.8 M
(algorithm, validation, auth-domain, realm: ) S
33 -427 M
(MUST be the same value as it is received from the server for the session. ) S
11 -440.2 M
(sid: ) S
33 -453.4 M
1.71679688 0 32 0 0 (\(mandatory, hex-fixed-number\) MUST be one of the sid values which has been received) A
33 -466.6 M
(from the server for the same authentication realm. ) S
11 -479.8 M
(nc: ) S
33 -493 M
0.684988856 0 32 0 0 (\(mandatory, integer\) is a nonce value which is unique among the requests sharing the same) A
33 -506.2 M
(sid. Values of nonces SHOULD satisfy the properties outlined in ) S
gsave
newpath
321.6 -507.3 M
41.2382812 0 RL
stroke
grestore
(Section\2406) S
[/Rect [320.640625 -508.998718 363.878906 -496.898712] /Subtype /Link /Border [0 0 0] /Dest /53 /ANN pdfmark
(. ) S
11 -519.4 M
(oa: ) S
33 -532.6 M
2.30859375 0 32 0 0 (\(mandatory, algorithm-determined\) is the client-side authentication challenge value o_A,) A
33 -545.8 M
(which is specified by the algorithm \(see ) S
gsave
newpath
211.1 -546.9 M
46.7382812 0 RL
stroke
grestore
(Section\24011) S
[/Rect [210.058594 -548.598755 258.796875 -536.498779] /Subtype /Link /Border [0 0 0] /Dest /71 /ANN pdfmark
(\). ) S
0 -556.8 M
[/View [/XYZ -4 200.151245 null] /Dest /43 /DEST pdfmark
0 -556.8 M
[/View [/XYZ -4 200.151245 null] /Dest /44 /DEST pdfmark
0 -572.4 M
13 2 Nf
(4.6.) S
[/View [/XYZ -4 200.151245 null] /Dest /166 /DEST pdfmark
( ) S
(200-B4) S
0 -596.6 M
11 0 Nf
0.269810259 0 32 0 0 (Every 200-B4 message SHALL be a valid HTTP message which is not 401 \(Authentication Required\)) A
0 -609.8 M
(type, containing an "Authentication-Info" header of the following format. ) S
0 -634 M
(Authentication-Info: Mutual sid=xxxx, ob=xxxx, version=-draft07 ) S
0 -634 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 13 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 14 14
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -0 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -11 M
[/View [/XYZ -4 746.0 null] /Dest /45 /DEST pdfmark
0 -21.8 M
%%IncludeResource: font Courier
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(header-200-B4) S
9.0 4 Nf
( = "Authentication-Info" ":" [) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(]) S
0 -32.6 M
9.0 4 Nf
( ) S
9.0 5 Nf
(auth-scheme) S
9.0 4 Nf
( ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(fields-200-B4) S
0 -43.4 M
9.0 4 Nf
( ) S
9.0 5 Nf
(fields-200-B4) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(field-200-B4) S
9.0 4 Nf
( *\([) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(] "," ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(field-200-B4) S
9.0 4 Nf
(\)) S
0 -54.2 M
9.0 4 Nf
( ) S
9.0 5 Nf
(field-200-B4) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(version) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(sid) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(ob) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(logout-timeout) S
0 -65 M
9.0 4 Nf
( ) S
9.0 5 Nf
(ob) S
9.0 4 Nf
( = "ob" "=" ) S
9.0 5 Nf
(value) S
0 -75.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(logout-timeout) S
9.0 4 Nf
( = "logout-timeout" "=" ) S
9.0 5 Nf
(integer) S
129 -98.7 M
%%IncludeResource: font Times-Bold
7.63889 2 Nf
(\240Figure\2408: the BNF syntax for the header in 200-B4 ) S
(message\240) S
0 -112.6 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -136.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The fields contained in the header are as follows: ) S
11 -161 M
(version: ) S
33 -174.2 M
3.33046865 0 32 0 0 (\(mandatory, extensive-token\) should be the token "-draft07" in this specification. The) A
33 -187.4 M
(behavior when other values are specified is undefined. ) S
11 -200.6 M
(sid: ) S
33 -213.8 M
(\(mandatory, hex-fixed-number\) MUST be the value received from the client. ) S
11 -227 M
(ob: ) S
33 -240.2 M
2.08007812 0 32 0 0 (\(mandatory, algorithm-determined\) is the server-side authentication challenge value o_B,) A
33 -253.4 M
(which is specified by the algorithm \(see ) S
gsave
newpath
211.1 -254.5 M
46.7382812 0 RL
stroke
grestore
(Section\24011) S
[/Rect [210.058594 -256.198608 258.796875 -244.098587] /Subtype /Link /Border [0 0 0] /Dest /71 /ANN pdfmark
(\). ) S
11 -266.6 M
(logout-timeout: ) S
33 -279.8 M
0.152644232 0 32 0 0 (\(non-mandatory, integer\) is a number of seconds after which the client should re-validate the) A
33 -293 M
1.14620531 0 32 0 0 (user's password for the current authentication realm. As a special case, the value 0 means) A
33 -306.2 M
2.59446025 0 32 0 0 (that the client SHOULD automatically forget the user-inputted password to the current) A
33 -319.4 M
0.137890622 0 32 0 0 (authentication realm and revert to the unauthenticated state \(i.e.\240server-initiated logout\). This) A
33 -332.6 M
0.737680316 0 32 0 0 (does not, however, mean that the long-term memories for the passwords \(such as password) A
33 -345.8 M
0.333740234 0 32 0 0 (reminders and auto fill-ins\) should be removed. If a new value of timeout is received for the) A
33 -359 M
(same authentication realm, it overrides the previous timeout. ) S
0 -383.2 M
3.49402571 0 32 0 0 (The header MUST be sent before the content body: it MUST\240NOT be sent in a trailer of a) A
0 -396.4 M
6.59505224 0 32 0 0 (chunked-encoded response. If a "100 Continue" response is sent from the server, The) A
0 -409.6 M
(Authentication-Info header SHOULD be included in that response, instead of the final response. ) S
0 -420.6 M
[/View [/XYZ -4 336.351288 null] /Dest /46 /DEST pdfmark
0 -420.6 M
[/View [/XYZ -4 336.351288 null] /Dest /47 /DEST pdfmark
0 -436.2 M
13 2 Nf
(4.7.) S
[/View [/XYZ -4 336.351288 null] /Dest /167 /DEST pdfmark
( ) S
(200-Optional-B0) S
0 -460.4 M
11 0 Nf
0.954545438 0 32 0 0 (The 200-Optional-B0 messages enables a non-mandatory authentication, which is not possible under) A
0 -473.6 M
2.35644531 0 32 0 0 (current HTTP authentication mechanism. In several Web applications, users can access the same) A
0 -486.8 M
0.09765625 0 32 0 0 (contents both as a guest user and as a authenticated users. In usual Web applications, it is implemented) A
0 -500 M
4.00745726 0 32 0 0 (using ) A
gsave
newpath
30.6 -501.1 M
34.2496452 0 RL
stroke
grestore
4.00745726 0 32 0 0 (HTTP ) A
gsave
newpath
64.8 -501.1 M
33.5976562 0 RL
stroke
grestore
4.00745726 0 32 0 0 (cookies) A
[/Rect [29.5859375 -502.798767 99.4296875 -490.698761] /Subtype /Link /Border [0 0 0] /Dest /115 /ANN pdfmark
4.00745726 0 32 0 0 ( [RFC2965] and custom form-based authentications. The new method of) A
0 -513.2 M
1.61490881 0 32 0 0 (authentication using this message will provide a replacement for those authentication systems. The) A
0 -526.4 M
3.67367792 0 32 0 0 (support for this message is RECOMMENDED, unless the protocol is used for some specific) A
0 -539.6 M
(applications in which authentication is always mandatory. ) S
0 -563.8 M
1.46664667 0 32 0 0 (Servers MAY send HTTP successful responses \(response code 200, 206 and others\) containing the) A
0 -577 M
3.899858 0 32 0 0 (Optional-WWW-Authenticate header, when it is allowed to send 401-B0 responses \(with one) A
0 -590.2 M
(exception described below\). Such responses are hereafter called 200-Optional-B0 responses. ) S
0 -614.4 M
(HTTP/1.1 200 ) S
(OK) S
0 -627.6 M
12.4072266 0 32 0 0 (Optional-WWW-Authenticate: Mutual version=-draft07, algorithm=xxxx, validation=xxxx,) A
0 -640.8 M
(realm="xxxx", stale=0 ) S
0 -640.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 14 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 15 15
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -0 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -11 M
[/View [/XYZ -4 746.0 null] /Dest /48 /DEST pdfmark
0 -21.8 M
%%IncludeResource: font Courier
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(header-200-Optional-B0) S
9.0 4 Nf
( = "Optional-WWW-Authenticate" ":" [) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(]) S
0 -32.6 M
9.0 4 Nf
( ) S
9.0 5 Nf
(auth-scheme) S
9.0 4 Nf
( ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(fields-401-B0) S
115.5 -55.5 M
%%IncludeResource: font Times-Bold
7.63889 2 Nf
(\240Figure\2409: the BNF syntax for the header in 200-Optional-B0 ) S
(header\240) S
0 -69.4 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -93.6 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.02253604 0 32 0 0 (The fields contained in the Optional-WWW-Authenticate header is the same as the 401-B0 message) A
0 -106.8 M
0.540838063 0 32 0 0 (described in ) A
gsave
newpath
57.3 -107.9 M
49.4882812 0 RL
stroke
grestore
0.540838063 0 32 0 0 (Section\2404.1) A
[/Rect [56.2734375 -109.598602 107.761719 -97.4986038] /Subtype /Link /Border [0 0 0] /Dest /29 /ANN pdfmark
0.540838063 0 32 0 0 (. For authentication-related matters, a 200-Optional-B0 message will have the) A
0 -120 M
0.548177063 0 32 0 0 (same meaning as a 401-B0 message with a corresponding WWW-Authenticate header. \(The behavior) A
0 -133.2 M
4.13541651 0 32 0 0 (for other matters, such as caching, MAY be different between 200-Optional-B0 and 401-B0) A
0 -146.4 M
(messages.\) ) S
0 -170.6 M
2.93039775 0 32 0 0 (The 200-Optional-B0 message is a only place where an Optional-WWW-Authenticate header is) A
0 -183.8 M
0.943014681 0 32 0 0 (allowed. If a server is to send a 401-B1 or a 401-B0-stale responses, it SHALL\240NOT replace it with) A
0 -197 M
0.19921875 0 32 0 0 (200-Optional-B0 or similar responses. Furthermore, if a server is going to send a 401-B0 message as a) A
0 -210.2 M
1.23168945 0 32 0 0 (responses to req-A3 message with a correct realm, the server MUST send a 401-B0 message, not a) A
0 -223.4 M
(200-Optional-B0 message. ) S
0 -247.6 M
1.371804 0 32 0 0 (Servers requesting non-mandatory authentication SHOULD send the path field in 401-B1 messages) A
0 -260.8 M
2.5476563 0 32 0 0 (with an appropriate value. Clients supporting non-mandatory authentication MUST recognize the) A
0 -274 M
1.07958984 0 32 0 0 (field, and MUST send either req-A1 or req-A3 request for the URI space inside the specified paths,) A
0 -287.2 M
(instead of a normal request without an Authorization header. ) S
0 -298.2 M
[/View [/XYZ -4 458.751404 null] /Dest /49 /DEST pdfmark
0 -298.2 M
[/View [/XYZ -4 458.751404 null] /Dest /50 /DEST pdfmark
0 -317.2 M
15 2 Nf
(5.) S
[/View [/XYZ -4 457.751404 null] /Dest /168 /DEST pdfmark
( Authentication ) S
(Realms) S
0 -341.4 M
11 0 Nf
0.740349293 0 32 0 0 (In this protocol, an "authentication realm" is defined as a set of resources \(URIs\) for which the same) A
0 -354.6 M
0.0681152344 0 32 0 0 (set of user names and passwords is valid for. If the server requests authentication for the authentication) A
0 -367.8 M
1.46549475 0 32 0 0 (realm which the client is already authenticated, the client will automatically perform authentication) A
0 -381 M
2.63671875 0 32 0 0 (using the already-known secrets. On the contrary, for the different authentication realms, clients) A
0 -394.2 M
(SHOULD\240NOT automatically reuse the usernames and passwords for another realm. ) S
0 -418.4 M
2.12109375 0 32 0 0 (Just like Basic and Digest access authentication protocol, Mutual authentication protocol supports) A
0 -431.6 M
2.59555292 0 32 0 0 (multiple, separate authentication realms to be set up inside each host. Furthermore, the protocol) A
0 -444.8 M
(supports that a single authentication realm spans over several hosts in the same Internet domain. ) S
0 -469 M
0.777043283 0 32 0 0 (Each authentication realm is defined and distinguished by the triple of an "authentication algorithm",) A
0 -482.2 M
0.161221594 0 32 0 0 (an "authentication domain", and a "realm" parameter. Server operators are NOT\240RECOMMENDED to) A
0 -495.4 M
1.73549104 0 32 0 0 (use the same pair of an authentication domain and a realm for different authentication algorithms,) A
0 -508.6 M
(however. ) S
0 -532.8 M
0.643415153 0 32 0 0 (Authentication algorithms are defined in ) A
gsave
newpath
184.3 -533.9 M
41.2382812 0 RL
stroke
grestore
0.643415153 0 32 0 0 (Section\2404) A
[/Rect [183.316406 -535.598755 226.554688 -523.498779] /Subtype /Link /Border [0 0 0] /Dest /27 /ANN pdfmark
0.643415153 0 32 0 0 ( and ) A
gsave
newpath
248.2 -533.9 M
46.7382812 0 RL
stroke
grestore
0.643415153 0 32 0 0 (Section\24011) A
[/Rect [247.21875 -535.598755 295.957031 -523.498779] /Subtype /Link /Border [0 0 0] /Dest /71 /ANN pdfmark
0.643415153 0 32 0 0 (. The realm parameter is a string as) A
0 -546 M
(defined in ) S
gsave
newpath
47 -547.1 M
41.2382812 0 RL
stroke
grestore
(Section\2404) S
[/Rect [46.0351562 -548.798767 89.2734375 -536.698792] /Subtype /Link /Border [0 0 0] /Dest /27 /ANN pdfmark
(. Authentication domains are described in the rest of this section. ) S
0 -570.2 M
1.07924104 0 32 0 0 (An authentication domain specifies the range of hosts which the authentication realm spans over. In) A
0 -583.4 M
(the protocol, it MUST be one of the following strings. ) S
11 -604 M
gsave
0 setgray
newpath
11.0 -604.018799 2.75 0 360 arc
closepath
fill
grestore
22 -607.6 M
0.334435105 0 32 0 0 (The string in format "<scheme>://<host>:<port>", where scheme, host and port are the URI parts) A
22 -620.8 M
0.00759548601 0 32 0 0 (of the requested URI. Even if the request-URI does not have a port part, the string will include the) A
22 -634 M
1.37224269 0 32 0 0 (one \(i.e. 80 for http and 443 for https\). Use this when authentication is only valid for specific) A
22 -647.2 M
(protocol \(such as https\). ) S
11 -657.8 M
gsave
0 setgray
newpath
11.0 -657.818848 2.75 0 360 arc
closepath
fill
grestore
22 -661.4 M
0.248535156 0 32 0 0 (The "host" part of the requested URI. This is the default value. Authentication realms in this kind) A
22 -661.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 15 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 16 16
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.902864575 0 32 0 0 (of authentication domain will span over several protocols \(i.e. http and https\) and ports, but not) A
22 -26.4 M
11 0 Nf
(over different hosts. ) S
11 -37 M
gsave
0 setgray
newpath
11.0 -36.97 2.75 0 360 arc
closepath
fill
grestore
22 -40.6 M
2.31738281 0 32 0 0 (String in format "*.<domain-postfix>", where "domain-postfix" is either the host part of the) A
22 -53.8 M
2.45078135 0 32 0 0 (requested URI, or any domain in which the requested host is included \(this means that the) A
22 -67 M
0.112847224 0 32 0 0 (specification "*.example.com" is valid for all of hosts "www.example.com", "web.example.com",) A
22 -80.2 M
0.329427093 0 32 0 0 ("www.sales.example.com" and "example.com"\). The domain-postfix sent from servers MUST be) A
22 -80.2 M
0.976116121 0.976116121 scale
0.0 -13.2 RM
(equal to or included in a valid Internet domain assigned to specific organization: if clients knows, by) S
1.0244683 1.0244683 scale
22 -93.1 M
0.952410519 0.952410519 scale
0.0 -13.2 RM
(some means such as blacklists for HTTP cookies, that the specified domain is not to be assigned to any) S
1.04996741 1.04996741 scale
22 -118.9 M
3.71342325 0 32 0 0 (specific organization \(e.g. "*.com" or "*.jp"\), clients are RECOMMENDED to reject the) A
22 -132.1 M
(authentication request. ) S
0 -156.3 M
1.25167406 0 32 0 0 (In the above specifications, every "scheme", "host" and "domain" MUST be in lower-case, and any) A
0 -169.5 M
1.49278843 0 32 0 0 (internationalized domain names beyond the ASCII character set SHALL be represented in the way) A
0 -182.7 M
2.66947126 0 32 0 0 (these are sent in the underlying HTTP protocol, represented in lower-case characters; i.e.\240 these) A
0 -195.9 M
0.593098938 0 32 0 0 (SHALL be in the form of the LDH labels in ) A
gsave
newpath
202 -197 M
27.484375 0 RL
stroke
grestore
0.593098938 0 32 0 0 (IDNA) A
[/Rect [200.988281 -198.606537 230.472656 -186.506531] /Subtype /Link /Border [0 0 0] /Dest /118 /ANN pdfmark
0.593098938 0 32 0 0 ( [RFC5890]. All "port"s MUST be in the shortest,) A
0 -209.1 M
3.16731763 0 32 0 0 (unsigned, decimal number notation. Not obeying these requirements will cause failure of valid) A
0 -222.3 M
(authentication attempts. ) S
0 -233.3 M
[/View [/XYZ -4 523.743469 null] /Dest /51 /DEST pdfmark
0 -233.3 M
[/View [/XYZ -4 523.743469 null] /Dest /52 /DEST pdfmark
0 -248.9 M
%%IncludeResource: font Times-Bold
13 2 Nf
(5.1.) S
[/View [/XYZ -4 523.743469 null] /Dest /169 /DEST pdfmark
( Resolving ) S
(ambiguities) S
0 -273.1 M
11 0 Nf
1.77313697 0 32 0 0 (In the above definition of authentication domains, several domains will overwrap with each other.) A
0 -286.3 M
1.47767854 0 32 0 0 (Depending on the "path" parameters given in the "401-B1" message \(see ) A
gsave
newpath
338.7 -287.4 M
41.2382812 0 RL
stroke
grestore
1.47767854 0 32 0 0 (Section\2404) A
[/Rect [337.691406 -289.006561 380.929688 -276.906555] /Subtype /Link /Border [0 0 0] /Dest /27 /ANN pdfmark
1.47767854 0 32 0 0 (\), There may be) A
0 -299.5 M
0.560937524 0 32 0 0 (several candidates when the client is to send a request with authentication credentials included \(at the) A
0 -312.7 M
(Steps 3 and 4 of the decision procedure shown in ) S
gsave
newpath
218.7 -313.8 M
41.2382812 0 RL
stroke
grestore
(Section\2408) S
[/Rect [217.703125 -315.406586 260.941406 -303.30658] /Subtype /Link /Border [0 0 0] /Dest /57 /ANN pdfmark
(\). ) S
0 -336.9 M
(If such choices are required, the following procedure SHOULD be ) S
(followed.) S
11 -357.4 M
gsave
0 setgray
newpath
11.0 -357.426605 2.75 0 360 arc
closepath
fill
grestore
22 -361.1 M
0.90625 0 32 0 0 (If the client has previously sent a request to the same URI, and it remembers the authentication) A
22 -374.3 M
(realm requested by 401-B0 messages at that time, use that realm. ) S
11 -384.8 M
gsave
0 setgray
newpath
11.0 -384.82663 2.75 0 360 arc
closepath
fill
grestore
22 -388.5 M
1.7922585 0 32 0 0 (In other cases, use one of authentication realms which represents most-specific authentication) A
22 -401.7 M
1.77163458 0 32 0 0 (domains. In the list of possible domain specifications shown above, one described earlier has) A
22 -414.9 M
(priority over ones described after that. ) S
22 -428.1 M
1.32962739 0 32 0 0 (If there are several choices with different domain-postfix specifications, the one which has the) A
22 -441.3 M
(longest domain-postfix has priority over ones with shorter domain-postfix. ) S
11 -451.8 M
gsave
0 setgray
newpath
11.0 -451.826691 2.75 0 360 arc
closepath
fill
grestore
22 -455.5 M
1.77929688 0 32 0 0 (If there are realms with the same specifications of authentication domain, there is no defined) A
22 -468.7 M
(priority: client MAY choose any one of possible choices. ) S
0 -492.9 M
1.484375 0 32 0 0 (If possible, server operators are encouraged to avoid such ambiguities by setting "path" parameters) A
0 -506.1 M
(properly. ) S
0 -517.1 M
[/View [/XYZ -4 239.943237 null] /Dest /53 /DEST pdfmark
0 -517.1 M
[/View [/XYZ -4 239.943237 null] /Dest /54 /DEST pdfmark
0 -536.1 M
15 2 Nf
(6.) S
[/View [/XYZ -4 238.943237 null] /Dest /170 /DEST pdfmark
( Session ) S
(Management) S
0 -560.3 M
11 0 Nf
0.397135407 0 32 0 0 (In the Mutual authentication protocol, a session represented by an sid is set up by the first 4 messages) A
0 -573.5 M
1.93723953 0 32 0 0 (\(first request, 401-B0, req-A1 and 401-B1\), and a "session secret" \(z\) associated to the session is) A
0 -586.7 M
1.03285849 0 32 0 0 (established. After having a session secret, this session, along with the secret, can be used for one or) A
0 -599.9 M
1.67211914 0 32 0 0 (more requests for resources protected by the same realm in the same server. Note that the session) A
0 -613.1 M
0.0570746511 0 32 0 0 (management is only an inside detail of the protocol and usually not visible to normal users. If a session) A
0 -626.3 M
0.809495211 0 32 0 0 (expires, the client and server SHOULD automatically reestablish another session without telling it to) A
0 -639.5 M
(the users. ) S
0 -639.5 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 16 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 17 17
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.656982422 0 32 0 0 (The sessions are local to each port of a host inside an authentication domain; clients MUST establish) A
0 -26.4 M
(separate sessions for each port of a host to be accessed. ) S
0 -50.6 M
2.3742187 0 32 0 0 (The server SHOULD accept at least one req-A3 request for each session, given that the request) A
0 -63.8 M
1.19416356 0 32 0 0 (reaches the server in a time window specified by the timeout field in the 401-B1 message, and that) A
0 -77 M
0.966308594 0 32 0 0 (there are no emergent reasons \(such as flooding attacks\) to forget the sessions. After that, the server) A
0 -90.2 M
(MAY discard any session at any time and MAY send 401-B0-stale messages for any req-A3 requests. ) S
0 -114.4 M
0.78010112 0 32 0 0 (The client MAY send two or more requests using a single session specified by the sid. However, for) A
0 -127.6 M
(all such requests, each value of the nonce \(in the nc field\) MUST satisfy the following conditions: ) S
11 -148.2 M
gsave
0 setgray
newpath
11.0 -148.17 2.75 0 360 arc
closepath
fill
grestore
22 -151.8 M
(It is a natural number. ) S
11 -162.4 M
gsave
0 setgray
newpath
11.0 -162.37 2.75 0 360 arc
closepath
fill
grestore
22 -166 M
(The same nonce has not yet sent previously in the same session. ) S
11 -176.6 M
gsave
0 setgray
newpath
11.0 -176.569992 2.75 0 360 arc
closepath
fill
grestore
22 -180.2 M
2.75735283 0 32 0 0 (It is not larger than the nc-max value which has been sent from the server in the session) A
22 -193.4 M
(represented by the sid. ) S
11 -204 M
gsave
0 setgray
newpath
11.0 -203.969986 2.75 0 360 arc
closepath
fill
grestore
22 -207.6 M
0.526855469 0 32 0 0 (It is larger than \(largest-nc - nc-window\), where largest-nc is the maximal value of nc which has) A
22 -220.8 M
0.178466797 0 32 0 0 (previously been sent in the session, and nc-window is the value of the nc-window field which has) A
22 -234 M
(been sent from the server in the ) S
(session.) S
0 -258.2 M
0.857552111 0 32 0 0 (The last condition allows servers to reject any nonce values which is "significantly" smaller than the) A
0 -271.4 M
0.0197610296 0 32 0 0 ("current" value \(defined by the value of nc-window\) of the nonce used in the session involved. In other) A
0 -284.6 M
2.6373198 0 32 0 0 (words, servers MAY treat such nonces as "already received". This restriction enables servers to) A
0 -297.8 M
(implement duplicated nonce detection in a constant amount of memory \(for each session\). ) S
0 -322 M
1.3338542 0 32 0 0 (Servers MUST check for duplication of the received nonces, and if any duplication is detected, the) A
0 -335.2 M
0.0078125 0 32 0 0 (server MUST discard the session and respond by a 401-B0-stale message, as outlined in ) A
gsave
newpath
390.2 -336.3 M
41.2382812 0 RL
stroke
grestore
0.0078125 0 32 0 0 (Section\2409) A
[/Rect [389.152344 -337.950043 432.390625 -325.850037] /Subtype /Link /Border [0 0 0] /Dest /60 /ANN pdfmark
0.0078125 0 32 0 0 (. The) A
0 -348.4 M
0.278262854 0 32 0 0 (server MAY also reject other invalid nonce values \(such as ones above the nc-max limit\) by sending a) A
0 -361.6 M
(401-B0-stale message. ) S
0 -385.8 M
0.36328125 0 32 0 0 (For example, consider the nc-window value of the current session to be 32, the nc-max to be 100, and) A
0 -399 M
1.04062498 0 32 0 0 (that the client has already used the following nonce values beforehand: {1-20, 22, 24, 30-38, 45-60,) A
0 -412.2 M
0.370659709 0 32 0 0 (63-72}. Then the nonce values which can be used for next request is one of the following set: {41-44,) A
0 -425.4 M
0.0647978 0 32 0 0 (61-62, 73-100}. The values {0, 21, 23, 25-29, 39-40} MAY be rejected by the server because these are) A
0 -438.6 M
(not above the current "window limit" \(40 = 72 - 32\). ) S
0 -462.8 M
0.903320312 0 32 0 0 (Typically, clients can ensure the above property by using a monotonically-increasing integer counter) A
0 -476 M
(counting from zero upto the value of nc-max. ) S
0 -500.2 M
0.186104909 0 32 0 0 (Values of nonces and nonce-related values MUST always be treated as natural numbers within infinite) A
0 -513.4 M
0.77734375 0 32 0 0 (range. Implementations using fixed-width integers or fixed-precision floating numbers MUST handle) A
0 -526.6 M
0.84765625 0 32 0 0 (integer overflow correctly and carefully. Such implementations are RECOMMENDED to accept any) A
0 -539.8 M
0.776227653 0 32 0 0 (larger values which cannot be represented in the fixed-width integer representations, as long as other) A
0 -553 M
0.0326450877 0 32 0 0 (limits such as internal header-length restrictions are not involved. The protocol is designed carefully so) A
0 -566.2 M
0.902622759 0 32 0 0 (that both clients and servers can implement the protocol only with fixed-width integers, by rounding) A
0 -579.4 M
(any overflowed values to the maximum possible value. ) S
0 -590.4 M
[/View [/XYZ -4 166.599792 null] /Dest /55 /DEST pdfmark
0 -590.4 M
[/View [/XYZ -4 166.599792 null] /Dest /56 /DEST pdfmark
0 -609.4 M
%%IncludeResource: font Times-Bold
15 2 Nf
(7.) S
[/View [/XYZ -4 165.599792 null] /Dest /171 /DEST pdfmark
( Validation ) S
(Methods) S
0 -633.6 M
11 0 Nf
1.56730771 0 32 0 0 (The "validation method" specifies a method to "relate" the mutual authentication processed by this) A
0 -646.8 M
3.67773438 0 32 0 0 (protocol with other authentications already performed in the underlying layers and to prevent) A
0 -660 M
(man-in-the-middle attacks. It decides the value of v which is an input to authentication protocols. ) S
0 -660 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 17 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 18 18
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The valid tokens for the validation field and corresponding values of v are as follows: ) S
11 -37.4 M
(host: ) S
33 -50.6 M
3.60216355 0 32 0 0 (hostname validation: The value v will be the ASCII string in the following format:) A
33 -63.8 M
4.62066 0 32 0 0 ("<scheme>://<host>:<port>", where scheme, host and port are the URI components) A
33 -77 M
0.318810105 0 32 0 0 (correspond to the currently accessing resource. The scheme and host are lower-case, and the) A
33 -90.2 M
1.43437505 0 32 0 0 (port is in a shortest decimal representation. Even if the request-URI does not have a port) A
33 -103.4 M
(part, v will include the one. ) S
11 -116.6 M
(tls-cert: ) S
33 -129.8 M
0.133501843 0 32 0 0 (TLS certificate validation: The value v will be the octet string of the hash value of the public) A
33 -143 M
1.04176688 0 32 0 0 (key certificate used in underlying ) A
gsave
newpath
188.1 -144.1 M
19.5507812 0 RL
stroke
grestore
1.04176688 0 32 0 0 (TLS) A
[/Rect [187.148438 -145.749985 208.699219 -133.649979] /Subtype /Link /Border [0 0 0] /Dest /108 /ANN pdfmark
1.04176688 0 32 0 0 ( [RFC5246] \(or SSL\) connection. The hash value is) A
33 -156.2 M
4.91764307 0 32 0 0 (defined as the value of the whole signed certificate \(specified as "Certificate" in ) A
33 -169.4 M
gsave
newpath
33 -170.5 M
50.1054688 0 RL
stroke
grestore
([RFC5280]) S
[/Rect [32.0 -172.149979 84.1054688 -160.049973] /Subtype /Link /Border [0 0 0] /Dest /117 /ANN pdfmark
(\), hashed by the hash algorithm specified by the authentication algorithm used. ) S
11 -182.6 M
(tls-key: ) S
33 -195.8 M
0.926041663 0 32 0 0 (TLS shared-key validation: The value v will be the octet string of the shared master secret) A
33 -209 M
(negotiated in underlying TLS \(or SSL\) ) S
(connection.) S
0 -233.2 M
0.598437488 0 32 0 0 (If the HTTP protocol is used on non-encrypted channel \(TCP and SCTP, for example\), the validation) A
0 -246.4 M
1.02650666 0 32 0 0 (type MUST be "host". If ) A
gsave
newpath
116.1 -247.5 M
50.0976562 0 RL
stroke
grestore
1.02650666 0 32 0 0 (HTTP/TLS) A
[/Rect [115.109375 -249.149963 167.207031 -237.049957] /Subtype /Link /Border [0 0 0] /Dest /103 /ANN pdfmark
1.02650666 0 32 0 0 ( [RFC2818] \(https\) protocol is used with server certificates, the) A
0 -259.6 M
0.319754452 0 32 0 0 (validation type MUST be either "tls-cert" or "tls-key". If HTTP/TLS protocol is used with anonymous) A
0 -272.8 M
(Diffie-Hellman key exchange, the validation type MUST be "tls-key" \(but see the note below\). ) S
0 -297 M
(Clients MUST validate this field upon reception of 401-B0 messages. ) S
0 -321.2 M
1.01367188 0 32 0 0 (However, when the client is a Web browser with any scripting capabilities, underlying TLS channel) A
0 -334.4 M
4.06427574 0 32 0 0 (used with HTTP/TLS MUST provide server identity verification. This means \(1\) anonymous) A
0 -347.6 M
2.45865893 0 32 0 0 (Diffie-Hellman key exchange ciphersuite MUST\240NOT be used, and \(2\) the verification of server) A
0 -360.8 M
(certificate provided from the server MUST be employed. ) S
0 -385 M
2.54537249 0 32 0 0 (For other systems, when underlying TLS channel used with HTTP/TLS does not provide server) A
0 -398.2 M
2.07872605 0 32 0 0 (identity verification, the client SHOULD ensure that all responses are validated using the Mutual) A
0 -411.4 M
(authentication protocol, regardless of the existence of the 401-B0 responses. ) S
0 -435.6 M
1.95102167 0 32 0 0 (Note: The protocol defines two variants for validation on TLS connections. The method "tls-key") A
0 -448.8 M
(method is more secure. However, there are some situations where tls-cert is more ) S
(preferable.) S
11 -469.4 M
gsave
0 setgray
newpath
11.0 -469.370117 2.75 0 360 arc
closepath
fill
grestore
22 -473 M
0.0490722656 0 32 0 0 (When TLS accelerating proxies are used. In this case, it is difficult for the authenticating server to) A
22 -486.2 M
0.125868052 0 32 0 0 (acquire the TLS key information which is used between the client and the proxy. It is not the case) A
22 -499.4 M
(for client-side "tunneling" proxies using CONNECT method extension of HTTP. ) S
11 -510 M
gsave
0 setgray
newpath
11.0 -509.970154 2.75 0 360 arc
closepath
fill
grestore
22 -513.6 M
(When a black-box implementation of the TLS protocol is used on either peer. ) S
0 -537.8 M
0.814236104 0 32 0 0 (Implementations supporting Mutual authentication over HTTPS protocol SHOULD support "tls-cert") A
0 -551 M
(validation. Support for "tls-key" validation is OPTIONAL for both servers and clients. ) S
0 -562 M
[/View [/XYZ -4 194.999817 null] /Dest /57 /DEST pdfmark
0 -562 M
[/View [/XYZ -4 194.999817 null] /Dest /58 /DEST pdfmark
0 -581 M
%%IncludeResource: font Times-Bold
15 2 Nf
(8.) S
[/View [/XYZ -4 193.999817 null] /Dest /172 /DEST pdfmark
( Decision procedure for the ) S
(client) S
0 -605.2 M
11 0 Nf
2.87980771 0 32 0 0 (To securely implement the protocol, the user client must be careful for accepting authenticated) A
0 -618.4 M
0.568917394 0 32 0 0 (responses from the server. This also holds upon reception of "normal responses" \(responses which do) A
0 -631.6 M
(not contain Mutual-related headers\) from HTTP servers. ) S
0 -631.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 18 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 19 19
%%PageResources: font Times-Roman Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
2.376302 0 32 0 0 (Clients SHOULD implement the decision procedure equivalent to the one shown below. \(Unless) A
0 -26.4 M
2.17277646 0 32 0 0 (implementers understand what is required for the security, they should not alter this.\) Especially,) A
0 -39.6 M
0.892578125 0 32 0 0 (clients SHOULD\240NOT accept "normal responses" unless explicitly allowed below. The labels on the) A
0 -52.8 M
0.578683 0 32 0 0 (steps are for informational purpose only. Entries within each step are checked in top-to-bottom order,) A
0 -66 M
(and the first clause satisfied SHOULD be taken. ) S
11 -90.2 M
(Step 1 \(step_new_request\): ) S
33 -103.4 M
2.3742187 0 32 0 0 (If the client software needs to get a new Web resource, check whether the resource is) A
33 -116.6 M
0.176081732 0 32 0 0 (expected to be inside some authentication realm for which the user has already authenticated) A
33 -129.8 M
(by the Mutual authentication scheme. If yes, go to Step 2. Otherwise, go to Step 5. ) S
11 -143 M
(Step 2: ) S
33 -156.2 M
0.988020837 0 32 0 0 (Check whether there is an available sid for the authentication realm you expect. If there is) A
33 -169.4 M
(one, go to Step 3. Otherwise, go to Step 4. ) S
11 -182.6 M
(Step 3 \(step_send_a3_1\): ) S
33 -195.8 M
(Send a req-A3 request. ) S
44 -206.4 M
gsave
0 setgray
newpath
44.0 -206.36998 2.75 0 360 arc
closepath
fill
grestore
55 -210 M
0.011117788 0 32 0 0 (If you receive a 401-B0 message with a different authentication realm than expected, go) A
55 -223.2 M
(to Step 6. ) S
44 -233.8 M
gsave
0 setgray
newpath
44.0 -233.769974 2.75 0 360 arc
closepath
fill
grestore
55 -237.4 M
1.48473012 0 32 0 0 (If you receive a 200-Optional-B0 message with a different authentication realm than) A
55 -250.6 M
(expected, go to Step 6. ) S
44 -261.2 M
gsave
0 setgray
newpath
44.0 -261.169952 2.75 0 360 arc
closepath
fill
grestore
55 -264.8 M
(If you receive a 401-B0-stale message, go to Step 9. ) S
44 -275.4 M
gsave
0 setgray
newpath
44.0 -275.369965 2.75 0 360 arc
closepath
fill
grestore
55 -279 M
(If you receive a 401-B0 message, go to Step 13. ) S
44 -289.6 M
gsave
0 setgray
newpath
44.0 -289.569977 2.75 0 360 arc
closepath
fill
grestore
55 -293.2 M
(If you receive a 200-B4 message, go to Step 14. ) S
44 -303.8 M
gsave
0 setgray
newpath
44.0 -303.77 2.75 0 360 arc
closepath
fill
grestore
55 -307.4 M
(If you receive a normal response, go to Step ) S
(11.) S
11 -320.6 M
(Step 4 \(step_send_a1_1\): ) S
33 -333.8 M
(Send a req-A1 request. ) S
44 -344.4 M
gsave
0 setgray
newpath
44.0 -344.370026 2.75 0 360 arc
closepath
fill
grestore
55 -348 M
0.011117788 0 32 0 0 (If you receive a 401-B0 message with a different authentication realm than expected, go) A
55 -361.2 M
(to Step 6. ) S
44 -371.8 M
gsave
0 setgray
newpath
44.0 -371.77005 2.75 0 360 arc
closepath
fill
grestore
55 -375.4 M
1.48473012 0 32 0 0 (If you receive a 200-Optional-B0 message with a different authentication realm than) A
55 -388.6 M
(expected, go to Step 6. ) S
44 -399.2 M
gsave
0 setgray
newpath
44.0 -399.170074 2.75 0 360 arc
closepath
fill
grestore
55 -402.8 M
(If you receive a 401-B1 message, go to Step 10. ) S
44 -413.4 M
gsave
0 setgray
newpath
44.0 -413.370087 2.75 0 360 arc
closepath
fill
grestore
55 -417 M
0.170833334 0 32 0 0 (If you receive a 401-B0 message with the same authentication realm, go to Step 13 \(see) A
55 -430.2 M
(Note 1\). ) S
44 -440.8 M
gsave
0 setgray
newpath
44.0 -440.770111 2.75 0 360 arc
closepath
fill
grestore
55 -444.4 M
(If you receive a normal response, go to Step ) S
(11.) S
11 -457.6 M
(Step 5 \(step_send_normal_1\): ) S
33 -470.8 M
(Send a request without any Mutual authentication headers. ) S
44 -481.4 M
gsave
0 setgray
newpath
44.0 -481.370148 2.75 0 360 arc
closepath
fill
grestore
55 -485 M
(If you receive a 401-B0 message, go to Step 6. ) S
44 -495.6 M
gsave
0 setgray
newpath
44.0 -495.57016 2.75 0 360 arc
closepath
fill
grestore
55 -499.2 M
(If you receive a 200-Optional-B0 message, go to Step 6. ) S
44 -509.8 M
gsave
0 setgray
newpath
44.0 -509.770172 2.75 0 360 arc
closepath
fill
grestore
55 -513.4 M
(If you receive a normal response, go to Step ) S
(11.) S
11 -526.6 M
(Step 6 \(step_rcvd_b0\): ) S
33 -539.8 M
0.41015625 0 32 0 0 (Check whether you know the user's password for the requested authentication realm. If yes,) A
33 -553 M
(go to Step 7. Otherwise, go to Step 12. ) S
11 -566.2 M
(Step 7: ) S
33 -579.4 M
0.988020837 0 32 0 0 (Check whether there is an available sid for the authentication realm you expect. If there is) A
33 -592.6 M
(one, go to Step 8. Otherwise, go to Step 9. ) S
11 -605.8 M
(Step 8 \(step_send_a3\): ) S
33 -619 M
(Send a req-A3 request. ) S
44 -629.6 M
gsave
0 setgray
newpath
44.0 -629.570251 2.75 0 360 arc
closepath
fill
grestore
55 -633.2 M
(If you receive a 401-B0-stale message, go to Step 9. ) S
44 -643.8 M
gsave
0 setgray
newpath
44.0 -643.770264 2.75 0 360 arc
closepath
fill
grestore
55 -647.4 M
(If you receive a 401-B0 message, go to Step 13. ) S
44 -658 M
gsave
0 setgray
newpath
44.0 -657.970276 2.75 0 360 arc
closepath
fill
grestore
55 -661.6 M
(If you receive a 200-B4 message, go to Step ) S
(14.) S
33 -661.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 19 -) S
0 setgray
22 -8 M
grestore
pgsave restore N
%%Page: 20 20
%%PageResources: font Times-Roman Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(Step 9 \(step_send_a1\): ) S
33 -26.4 M
(Send a req-A1 request. ) S
44 -37 M
gsave
0 setgray
newpath
44.0 -36.97 2.75 0 360 arc
closepath
fill
grestore
55 -40.6 M
(If you receive a 401-B1 message, go to Step 10. ) S
44 -51.2 M
gsave
0 setgray
newpath
44.0 -51.170002 2.75 0 360 arc
closepath
fill
grestore
55 -54.8 M
(If you receive a 401-B0 message, go to Step 13 \(See Note ) S
(1\).) S
11 -68 M
(Step 10 \(step_rcvd_b1\): ) S
33 -81.2 M
(Send a req-A3 request. ) S
44 -91.8 M
gsave
0 setgray
newpath
44.0 -91.77 2.75 0 360 arc
closepath
fill
grestore
55 -95.4 M
(If you receive a 401-B0 message, go to Step 13. ) S
44 -106 M
gsave
0 setgray
newpath
44.0 -105.969994 2.75 0 360 arc
closepath
fill
grestore
55 -109.6 M
(If you receive a 200-B4 message, go to Step ) S
(14.) S
11 -122.8 M
(Step 11 \(step_rcvd_normal\): ) S
33 -136 M
0.703125 0 32 0 0 (This case means that the resource requested is out of the authenticated area. The client will) A
33 -149.2 M
5.19424725 0 32 0 0 (be in the "UNAUTHENTICATED" status. If the response contains a request for) A
33 -162.4 M
(authentications other than Mutual, it MAY be handled normally. ) S
11 -175.6 M
(Step 12 \(step_rcvd_b0_unknown\): ) S
33 -188.8 M
0.857271612 0 32 0 0 (This case means that the resource requested requires Mutual authentication, and the user is) A
33 -202 M
5.05220175 0 32 0 0 (not authenticated yet. The client will be in the "AUTH_REQUESTED" status, is) A
33 -215.2 M
0.488839298 0 32 0 0 (RECOMMENDED to process the content sent from the server and ask user a username and) A
33 -228.4 M
(a password. If the user has inputted those, go to Step 9. ) S
11 -241.6 M
(Step 13 \(step_rcvd_b0_failed\): ) S
33 -254.8 M
0.706473231 0 32 0 0 (This case means that in some reason the authentication failed: possibly the password or the) A
33 -268 M
5.899858 0 32 0 0 (username is invalid for the authenticated resource. Forget the password for the) A
33 -281.2 M
(authentication realm and go to Step 12. ) S
11 -294.4 M
(Step 14 \(step_rcvd_b4\): ) S
33 -307.6 M
1.10340071 0 32 0 0 (Check the validity of the received o_b value. If it is equal to the expected value, it means) A
33 -320.8 M
6.65332031 0 32 0 0 (that the mutual authentication has been succeeded. The client will be in the) A
33 -334 M
("AUTH_SUCCEEDED" status. ) S
33 -347.2 M
(If the value is unexpected, it is a fatal communication error. ) S
33 -360.4 M
1.23255205 0 32 0 0 (If a user requests to log out explicitly \(via user interfaces\), the client MUST forget user's) A
33 -373.6 M
(password, go to step 5 and reload the current resource without authentication credential. ) S
11 -386.8 M
(Note 1: ) S
33 -400 M
(These transitions are valid for clients, but not recommended for servers to ) S
(initiate.) S
0 -424.2 M
1.1690104 0 32 0 0 (Any kind of response \(including a normal response\) other than those shown in the above procedure) A
0 -437.4 M
1.82121396 0 32 0 0 (SHOULD be interpreted as fatal communication error, and in such cases user clients MUST\240NOT) A
0 -450.6 M
0.0335937515 0 32 0 0 (process any data \(response body and other content-related headers\) sent from the server. However, as a) A
0 -463.8 M
1.3125 0 32 0 0 (handling for exceptional error cases, clients MAY accept a message without an Authentication-Info) A
0 -477 M
0.251464844 0 32 0 0 (header, if it is a Server-Error \(5xx\) status. The client will be in the "UNAUTHENTICATED" status in) A
0 -490.2 M
(these cases. ) S
0 -514.4 M
0.683072925 0 32 0 0 (The client software SHOULD display the three client status to the end-user. For an interactive client,) A
0 -527.6 M
0.583984375 0 32 0 0 (however, if a request is a sub-request for a resource included to another page \(e.g. embedded images,) A
0 -540.8 M
7.83323336 0 32 0 0 (style sheets, frames etc.\), its status MAY be omitted from being shown, and any) A
0 -554 M
1.35227275 0 32 0 0 ("AUTH_REQUESTED" statuses MAY be treated in the same way as an "UNAUTHENTICATED") A
0 -567.2 M
(status. ) S
0 -591.4 M
gsave
newpath
0 -592.5 M
42.4609375 0 RL
stroke
grestore
(Figure\24010) S
[/Rect [-1.0 -594.150208 43.4609375 -582.050232] /Subtype /Link /Border [0 0 0] /Dest /59 /ANN pdfmark
( shows the full client-side state diagram. ) S
0 -602.4 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -613.4 M
[/View [/XYZ -4 143.599792 null] /Dest /59 /DEST pdfmark
0 -613.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 20 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 21 21
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -394 M
gsave
0.0 -394.0 translate
/IS 1 D
save
0 0 M
IS IS scale
/showpage {}D
-71 -427 translate
/tgifdict 53 dict def
tgifdict begin
/tgifarrowtipdict 8 dict def
tgifarrowtipdict /mtrx matrix put
/TGAT % tgifarrowtip
{ tgifarrowtipdict begin
/dy exch def
/dx exch def
/h exch def
/w exch def
/y exch def
/x exch def
/savematrix mtrx currentmatrix def
x y translate
dy dx atan rotate
0 0 moveto
w neg h lineto
w neg h neg lineto
savematrix setmatrix
end
} def
/TGMAX
{ exch dup 3 1 roll exch dup 3 1 roll gt { pop } { exch pop } ifelse
} def
/TGMIN
{ exch dup 3 1 roll exch dup 3 1 roll lt { pop } { exch pop } ifelse
} def
/TGSW { stringwidth pop } def
/bd { bind def } bind def
/GS { gsave } bd
/GR { grestore } bd
/NP { newpath } bd
/CP { closepath } bd
/CHP { charpath } bd
/CT { curveto } bd
/L { lineto } bd
/RL { rlineto } bd
/M { moveto } bd
/RM { rmoveto } bd
/S { stroke } bd
/F { fill } bd
/TR { translate } bd
/RO { rotate } bd
/SC { scale } bd
/MU { mul } bd
/DI { div } bd
/DU { dup } bd
/NE { neg } bd
/AD { add } bd
/SU { sub } bd
/PO { pop } bd
/EX { exch } bd
/CO { concat } bd
/CL { clip } bd
/EC { eoclip } bd
/EF { eofill } bd
/IM { image } bd
/IMM { imagemask } bd
/ARY { array } bd
/SG { setgray } bd
/RG { setrgbcolor } bd
/SD { setdash } bd
/W { setlinewidth } bd
/SM { setmiterlimit } bd
/SLC { setlinecap } bd
/SLJ { setlinejoin } bd
/SH { show } bd
/FF { findfont } bd
/MS { makefont setfont } bd
/AR { arcto 4 {pop} repeat } bd
/CURP { currentpoint } bd
/FLAT { flattenpath strokepath clip newpath } bd
/TGSM { tgiforigctm setmatrix } def
/TGRM { savematrix setmatrix } def
end
tgifdict begin
/tgifsavedpage save def
1 SM
1 W
0 SG
72 0 MU 72 11.602 MU TR
72 128 DI 100.000 MU 100 DI DU NE SC
GS
/tgiforigctm matrix currentmatrix def
NP
0 SG
GS
1 W
250 45 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NEW REQUEST) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NEW REQUEST) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
NP
250 95 M
180 125 L
250 155 L
320 125 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
250 120 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(the requested URI) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(the requested URI) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(known to be authed?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(known to be authed?) SH
GR
GR
0 SG
GS
NP
250 50 M
45 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 95 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 95 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
250 95 8.000 3.000 0 45 TGAT
CP F
GR
0 SG
GS
GS
NP
684 100 M
700 100 700 150 16 AR
700 134 L
700 150 600 150 16 AR
616 150 L
600 150 600 100 16 AR
600 116 L
600 100 700 100 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
650 120 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(normal request) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(normal request) SH
GR
GR
0 SG
GS
NP
600 105 M
-35 -55 atan DU cos 8.000 MU 545 exch SU
exch sin 8.000 MU 70 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
545 70 8.000 3.000 -55 -35 TGAT
1 SG CP F
0 SG
NP
545 70 8.000 3.000 -55 -35 TGAT
CP F
GR
NP
0 SG
GS
1 W
480 75 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
320 125 M
0 280 atan DU cos 8.000 MU 600 exch SU
exch sin 8.000 MU 125 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
600 125 8.000 3.000 280 0 TGAT
1 SG CP F
0 SG
NP
600 125 8.000 3.000 280 0 TGAT
CP F
GR
NP
0 SG
GS
1 W
535 100 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal response) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal response) SH
GR
GR
0 SG
NP
650 195 M
580 225 L
650 255 L
720 225 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
650 220 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(user/pass) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(user/pass) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(known?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(known?) SH
GR
GR
0 SG
GS
NP
650 150 M
45 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 195 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 195 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
650 195 8.000 3.000 0 45 TGAT
CP F
GR
NP
0 SG
GS
1 W
650 165 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B0) SH
GR
0 15 RM
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-Optional-B0) SH
GR
GR
0 SG
GS
NP
590 230 M
25 -55 atan DU cos 8.000 MU 535 exch SU
exch sin 8.000 MU 255 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
535 255 8.000 3.000 -55 25 TGAT
1 SG CP F
0 SG
NP
535 255 8.000 3.000 -55 25 TGAT
CP F
GR
NP
0 SG
GS
1 W
475 260 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
NP
0 SG
GS
1 W
570 230 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
NP
0 SG
GS
1 W
330 120 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
0 SG
NP
250 295 M
180 325 L
250 355 L
320 325 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
250 320 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) SH
GR
GR
0 SG
GS
NP
250 155 M
140 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 295 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 295 8.000 3.000 0 140 TGAT
1 SG CP F
0 SG
NP
250 295 8.000 3.000 0 140 TGAT
CP F
GR
0 SG
GS
GS
NP
284 400 M
300 400 300 450 16 AR
300 434 L
300 450 200 450 16 AR
216 450 L
200 450 200 400 16 AR
200 416 L
200 400 300 400 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
250 420 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) SH
GR
GR
0 SG
GS
NP
250 355 M
45 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 400 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 400 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
250 400 8.000 3.000 0 45 TGAT
CP F
GR
NP
0 SG
GS
1 W
190 715 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
200 430 M
180 480 L
215 0 atan DU cos 8.000 MU 180 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
180 695 8.000 3.000 0 215 TGAT
1 SG CP F
0 SG
NP
180 695 8.000 3.000 0 215 TGAT
CP F
GR
NP
0 SG
GS
1 W
225 640 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal resonse) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal resonse) SH
GR
GR
0 SG
GS
NP
300 425 M
0 90 atan DU cos 8.000 MU 390 exch SU
exch sin 8.000 MU 425 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
390 425 8.000 3.000 90 0 TGAT
1 SG CP F
0 SG
NP
390 425 8.000 3.000 90 0 TGAT
CP F
GR
NP
0 SG
GS
1 W
345 420 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B0) SH
GR
GR
NP
0 SG
GS
1 W
450 430 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) TGSW
AD
/Times-Roman FF [12 0 0 -12 0 0] MS
(:) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(:) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(forget password) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(forget password) SH
GR
GR
0 SG
GS
NP
180 325 M
180 460 L
250 480 L
20 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 500 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 500 8.000 3.000 0 20 TGAT
1 SG CP F
0 SG
NP
250 500 8.000 3.000 0 20 TGAT
CP F
GR
0 SG
GS
GS
NP
284 500 M
300 500 300 550 16 AR
300 534 L
300 550 200 550 16 AR
216 550 L
200 550 200 500 16 AR
200 516 L
200 500 300 500 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
250 520 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A1) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A1) SH
GR
GR
NP
0 SG
GS
1 W
170 335 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
0 SG
GS
NP
200 525 M
180 555 L
140 0 atan DU cos 8.000 MU 180 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
180 695 8.000 3.000 0 140 TGAT
1 SG CP F
0 SG
NP
180 695 8.000 3.000 0 140 TGAT
CP F
GR
0 SG
GS
NP
450 600 M
-150 0 atan DU cos 8.000 MU 450 exch SU
exch sin 8.000 MU 450 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
450 450 8.000 3.000 0 -150 TGAT
1 SG CP F
0 SG
NP
450 450 8.000 3.000 0 -150 TGAT
CP F
GR
NP
0 SG
GS
1 W
455 580 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B0) SH
GR
GR
NP
0 SG
GS
1 W
450 720 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_SUCCEED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_SUCCEED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
250 550 M
80 150 atan DU cos 8.000 MU 400 exch SU
exch sin 8.000 MU 630 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
400 630 8.000 3.000 150 80 TGAT
1 SG CP F
0 SG
NP
400 630 8.000 3.000 150 80 TGAT
CP F
GR
0 SG
GS
NP
295 445 M
250 105 atan DU cos 8.000 MU 400 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
400 695 8.000 3.000 105 250 TGAT
1 SG CP F
0 SG
NP
400 695 8.000 3.000 105 250 TGAT
CP F
GR
NP
0 SG
GS
1 W
345 552 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-B4) SH
GR
GR
NP
0 SG
GS
1 W
250 580 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B1) SH
GR
GR
0 SG
GS
GS
NP
484 600 M
500 600 500 650 16 AR
500 634 L
500 650 400 650 16 AR
416 650 L
400 650 400 600 16 AR
400 616 L
400 600 500 600 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
450 620 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) SH
GR
GR
NP
0 SG
GS
1 W
455 682 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-B4) SH
GR
GR
0 SG
GS
NP
450 650 M
45 0 atan DU cos 8.000 MU 450 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
450 695 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
450 695 8.000 3.000 0 45 TGAT
CP F
GR
0 SG
NP
650 295 M
580 325 L
650 355 L
720 325 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
650 320 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) SH
GR
GR
0 SG
GS
GS
NP
684 400 M
700 400 700 450 16 AR
700 434 L
700 450 600 450 16 AR
616 450 L
600 450 600 400 16 AR
600 416 L
600 400 700 400 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
650 420 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) SH
GR
GR
0 SG
GS
NP
650 355 M
45 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 400 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 400 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
650 400 8.000 3.000 0 45 TGAT
CP F
GR
0 SG
GS
GS
NP
684 500 M
700 500 700 550 16 AR
700 534 L
700 550 600 550 16 AR
616 550 L
600 550 600 500 16 AR
600 516 L
600 500 700 500 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
650 520 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A1) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A1) SH
GR
GR
0 SG
GS
NP
650 255 M
40 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 295 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 295 8.000 3.000 0 40 TGAT
1 SG CP F
0 SG
NP
650 295 8.000 3.000 0 40 TGAT
CP F
GR
NP
0 SG
GS
1 W
520 420 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B0) SH
GR
GR
0 SG
GS
NP
600 425 M
0 -90 atan DU cos 8.000 MU 510 exch SU
exch sin 8.000 MU 425 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
510 425 8.000 3.000 -90 0 TGAT
1 SG CP F
0 SG
NP
510 425 8.000 3.000 -90 0 TGAT
CP F
GR
0 SG
GS
NP
720 325 M
720 465 L
650 480 L
20 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 500 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 500 8.000 3.000 0 20 TGAT
1 SG CP F
0 SG
NP
650 500 8.000 3.000 0 20 TGAT
CP F
GR
NP
0 SG
GS
1 W
630 570 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B1) SH
GR
GR
0 SG
GS
NP
650 550 M
75 -150 atan DU cos 8.000 MU 500 exch SU
exch sin 8.000 MU 625 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
500 625 8.000 3.000 -150 75 TGAT
1 SG CP F
0 SG
NP
500 625 8.000 3.000 -150 75 TGAT
CP F
GR
0 SG
GS
NP
605 445 M
250 -105 atan DU cos 8.000 MU 500 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
500 695 8.000 3.000 -105 250 TGAT
1 SG CP F
0 SG
NP
500 695 8.000 3.000 -105 250 TGAT
CP F
GR
NP
0 SG
GS
1 W
520 552 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-B4) SH
GR
GR
0 SG
GS
NP
300 440 M
65 305 atan DU cos 8.000 MU 605 exch SU
exch sin 8.000 MU 505 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
605 505 8.000 3.000 305 65 TGAT
1 SG CP F
0 SG
NP
605 505 8.000 3.000 305 65 TGAT
CP F
GR
0 SG
GS
NP
625 450 M
50 0 atan DU cos 8.000 MU 625 exch SU
exch sin 8.000 MU 500 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
625 500 8.000 3.000 0 50 TGAT
1 SG CP F
0 SG
NP
625 500 8.000 3.000 0 50 TGAT
CP F
GR
NP
0 SG
GS
1 W
355 475 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B0-stale) SH
GR
GR
NP
0 SG
GS
1 W
630 465 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B0-stale) SH
GR
GR
NP
0 SG
GS
1 W
730 320 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
NP
0 SG
GS
1 W
665 265 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
235 165 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
265 365 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
635 365 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
775 45 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(USER/PASS INPUTED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(USER/PASS INPUTED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
780 50 M
780 470 L
35 -85 atan DU cos 8.000 MU 695 exch SU
exch sin 8.000 MU 505 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
695 505 8.000 3.000 -85 35 TGAT
1 SG CP F
0 SG
NP
695 505 8.000 3.000 -85 35 TGAT
CP F
GR
0 SG
GS
NP
295 405 M
330 355 L
330 180 L
0 320 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 180 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 180 8.000 3.000 320 0 TGAT
1 SG CP F
0 SG
NP
650 180 8.000 3.000 320 0 TGAT
CP F
GR
NP
0 SG
GS
1 W
345 160 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-B0, 200-Optional-B0) SH
GR
0 15 RM
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
( with different realm ) SH
GR
GR
0 SG
GS
NP
295 505 M
330 460 L
330 355 L
TGSM
1 W
S
GR
NP
0 SG
GS
1 W
195 105 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(1\)) SH
GR
GR
NP
0 SG
GS
1 W
200 325 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(2\)) SH
GR
GR
NP
0 SG
GS
1 W
210 415 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(3\)) SH
GR
GR
NP
0 SG
GS
1 W
210 515 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(4\)) SH
GR
GR
NP
0 SG
GS
1 W
610 115 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(5\)) SH
GR
GR
NP
0 SG
GS
1 W
605 330 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(7\)) SH
GR
GR
NP
0 SG
GS
1 W
610 415 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(8\)) SH
GR
GR
NP
0 SG
GS
1 W
610 515 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(9\)) SH
GR
GR
NP
0 SG
GS
1 W
600 230 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(6\)) SH
GR
GR
NP
0 SG
GS
1 W
390 75 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(11\)) SH
GR
GR
NP
0 SG
GS
1 W
130 695 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(11\)) SH
GR
GR
NP
0 SG
GS
1 W
415 240 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(12\)) SH
GR
GR
NP
0 SG
GS
1 W
395 410 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(13\)) SH
GR
GR
NP
0 SG
GS
1 W
410 615 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(10\)) SH
GR
GR
NP
0 SG
GS
1 W
410 700 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(14\)) SH
GR
GR
GR
tgifsavedpage restore
end
showpage
restore
grestore
400.0 0.0 RM
167.1 -416.9 M
%%IncludeResource: font Times-Bold
7.63889 2 Nf
(\240Figure\24010: State diagram for ) S
(clients\240) S
0 -430.8 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -441.8 M
[/View [/XYZ -4 315.151398 null] /Dest /60 /DEST pdfmark
0 -441.8 M
[/View [/XYZ -4 315.151398 null] /Dest /61 /DEST pdfmark
0 -460.8 M
15 2 Nf
(9.) S
[/View [/XYZ -4 314.151398 null] /Dest /173 /DEST pdfmark
( Decision procedure for the ) S
(server) S
0 -485 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.136307567 0 32 0 0 (Each server SHOULD have a table of session states. This table need not be persistent in a long term; it) A
0 -498.2 M
1.00341797 0 32 0 0 (MAY be cleared upon server restart, reboot and others. Each entry of the table SHOULD contain at) A
0 -511.4 M
(least the following information: ) S
11 -532 M
gsave
0 setgray
newpath
11.0 -532.018616 2.75 0 360 arc
closepath
fill
grestore
22 -535.6 M
(The session identifier, the value of the sid field ) S
11 -546.2 M
gsave
0 setgray
newpath
11.0 -546.218628 2.75 0 360 arc
closepath
fill
grestore
22 -549.8 M
(The algorithm used ) S
11 -560.4 M
gsave
0 setgray
newpath
11.0 -560.41864 2.75 0 360 arc
closepath
fill
grestore
22 -564 M
(The authentication realm ) S
11 -574.6 M
gsave
0 setgray
newpath
11.0 -574.618652 2.75 0 360 arc
closepath
fill
grestore
22 -578.2 M
(The state of the protocol: one of "wa received", "authenticated", "rejected", and "inactive" ) S
11 -588.8 M
gsave
0 setgray
newpath
11.0 -588.818665 2.75 0 360 arc
closepath
fill
grestore
22 -592.4 M
(The user name received from the client ) S
11 -603 M
gsave
0 setgray
newpath
11.0 -603.018677 2.75 0 360 arc
closepath
fill
grestore
22 -606.6 M
(The boolean flag whether the session is fake ) S
11 -617.2 M
gsave
0 setgray
newpath
11.0 -617.218689 2.75 0 360 arc
closepath
fill
grestore
22 -620.8 M
(When the state is "wa received", the values of wa and sb ) S
11 -631.4 M
gsave
0 setgray
newpath
11.0 -631.418701 2.75 0 360 arc
closepath
fill
grestore
22 -635 M
(When the state is "authenticated", the following information: ) S
33 -645.6 M
gsave
0 setgray
newpath
33.0 -645.618713 2.75 0 360 arc
closepath
stroke
grestore
44 -649.2 M
(The value of the session secret z ) S
33 -659.8 M
gsave
0 setgray
newpath
33.0 -659.818726 2.75 0 360 arc
closepath
stroke
grestore
44 -663.4 M
(The largest nc received from the client \(largest-nc\) ) S
44 -664.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 21 -) S
0 setgray
88 -8 M
grestore
pgsave restore N
%%Page: 22 22
%%PageResources: font Times-Roman Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
33 -9.6 M
gsave
0 setgray
newpath
33.0 -9.57000065 2.75 0 360 arc
closepath
stroke
grestore
44 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
3.39531255 0 32 0 0 (For each possible nc values between \(largest-nc\240-\240nc-window\240+\2401\) and max_nc, a flag) A
44 -26.4 M
11 0 Nf
(whether a request with corresponding nc has been received. ) S
0 -50.6 M
(The table MAY contain other information. ) S
0 -74.8 M
(Servers SHOULD respond to the client requests according to the following procedure: ) S
11 -95.4 M
gsave
0 setgray
newpath
11.0 -95.37 2.75 0 360 arc
closepath
fill
grestore
22 -99 M
(When the server receives a normal request: ) S
33 -109.6 M
gsave
0 setgray
newpath
33.0 -109.57 2.75 0 360 arc
closepath
stroke
grestore
44 -113.2 M
2.40655041 0 32 0 0 (If the requested resource is not protected by the Mutual Authentication, send a normal) A
44 -126.4 M
(response. ) S
33 -137 M
gsave
0 setgray
newpath
33.0 -136.97 2.75 0 360 arc
closepath
stroke
grestore
44 -140.6 M
(If the resource is protected by the Mutual Authentication, send a 401-B0 response. ) S
33 -151.2 M
gsave
0 setgray
newpath
33.0 -151.17 2.75 0 360 arc
closepath
stroke
grestore
44 -154.8 M
0.849283874 0 32 0 0 (If the resource is protected by the optional Mutual Authentication, send a 200-Optional-B0 ) A
44 -168 M
(response.) S
11 -178.6 M
gsave
0 setgray
newpath
11.0 -178.569992 2.75 0 360 arc
closepath
fill
grestore
22 -182.2 M
(When the server receives a req-A1 request: ) S
33 -192.8 M
gsave
0 setgray
newpath
33.0 -192.769989 2.75 0 360 arc
closepath
stroke
grestore
44 -196.4 M
2.40655041 0 32 0 0 (If the requested resource is not protected by the Mutual Authentication, send a normal) A
44 -209.6 M
(response. ) S
33 -220.2 M
gsave
0 setgray
newpath
33.0 -220.169983 2.75 0 360 arc
closepath
stroke
grestore
44 -223.8 M
1.86495531 0 32 0 0 (If the authentication realm specified in the req-A1 request is not the expected one, send) A
44 -237 M
(either a 401-B0 or a 200-Optional-B0 response. ) S
33 -247.6 M
gsave
0 setgray
newpath
33.0 -247.569977 2.75 0 360 arc
closepath
stroke
grestore
44 -251.2 M
(If the server cannot validate the field wa, send a 401-B0 response. ) S
33 -261.8 M
gsave
0 setgray
newpath
33.0 -261.769958 2.75 0 360 arc
closepath
stroke
grestore
44 -265.4 M
0.818638384 0 32 0 0 (If the received user name is either invalid, unknown or unacceptable, create a new session,) A
44 -278.6 M
2.65380859 0 32 0 0 (mark it as a "fake" session, compute a random value as wb, and send a fake 401-B1) A
44 -291.8 M
1.56282556 0 32 0 0 (response. \(Note: the server SHOULD\240NOT send 401-B0 response in this case, because it) A
44 -305 M
1.08854163 0 32 0 0 (will leak the information to the client that the specified user will not be accepted. Instead,) A
44 -318.2 M
(postpone it to the response for the next req-A3 request.\) ) S
33 -328.8 M
gsave
0 setgray
newpath
33.0 -328.77002 2.75 0 360 arc
closepath
stroke
grestore
44 -332.4 M
(Otherwise, create a new session, compute wb and send a 401-B1 ) S
(response.) S
22 -345.6 M
(The created session has "wa received" state. ) S
11 -356.2 M
gsave
0 setgray
newpath
11.0 -356.170044 2.75 0 360 arc
closepath
fill
grestore
22 -359.8 M
(When the server receives a req-A3 request: ) S
33 -370.4 M
gsave
0 setgray
newpath
33.0 -370.370056 2.75 0 360 arc
closepath
stroke
grestore
44 -374 M
2.40655041 0 32 0 0 (If the requested resource is not protected by the Mutual Authentication, send a normal) A
44 -387.2 M
(response. ) S
33 -397.8 M
gsave
0 setgray
newpath
33.0 -397.770081 2.75 0 360 arc
closepath
stroke
grestore
44 -401.4 M
1.86495531 0 32 0 0 (If the authentication realm specified in the req-A3 request is not the expected one, send) A
44 -414.6 M
(either a 401-B0 or a 200-Optional-B0 ) S
(response.) S
22 -427.8 M
0.437959552 0 32 0 0 (If none of above is hold, the server will lookup the session corresponding to the received sid and) A
22 -441 M
(the authentication realm. ) S
33 -451.6 M
gsave
0 setgray
newpath
33.0 -451.570129 2.75 0 360 arc
closepath
stroke
grestore
44 -455.2 M
0.778952181 0 32 0 0 (If the session corresponding to the received sid could not be found, or it is inactive, send a) A
44 -468.4 M
(401-B0-stale response. ) S
33 -479 M
gsave
0 setgray
newpath
33.0 -478.970154 2.75 0 360 arc
closepath
stroke
grestore
44 -482.6 M
(If the session is in "rejected" state, send either a 401-B0 or a 401-B0-stale message. ) S
33 -493.2 M
gsave
0 setgray
newpath
33.0 -493.170166 2.75 0 360 arc
closepath
stroke
grestore
44 -496.8 M
1.94209564 0 32 0 0 (If the session is a "fake" session, or if the received oa is incorrect, then send a 401-B0) A
44 -510 M
0.504427075 0 32 0 0 (response. If the session is "wa received" state, it SHOULD be changed to a "rejected" state;) A
44 -523.2 M
(otherwise, it MAY either be changed to a "rejected" status or keep the previous state. ) S
33 -533.8 M
gsave
0 setgray
newpath
33.0 -533.770203 2.75 0 360 arc
closepath
stroke
grestore
44 -537.4 M
0.650878906 0 32 0 0 (If the session is in "active" state, and request has a nc value which was previously received) A
44 -550.6 M
1.25450718 0 32 0 0 (from the client, send either a 401-B0-stale message. The session SHOULD be changed to) A
44 -563.8 M
("inactive" status. ) S
33 -574.4 M
gsave
0 setgray
newpath
33.0 -574.370239 2.75 0 360 arc
closepath
stroke
grestore
44 -578 M
0.817578137 0 32 0 0 (If the nc value in the request is larger than the nc-max field sent from the server, or if it is) A
44 -591.2 M
1.124349 0 32 0 0 (not larger then \(largest-nc - nc-window\) \(when in "authenticated" status\), the server MAY) A
44 -604.4 M
0.340169281 0 32 0 0 (\(not REQUIRED\) send either a 401-B0-stale message. The session SHOULD be changed to) A
44 -617.6 M
(a "inactive" status if did so. ) S
33 -628.2 M
gsave
0 setgray
newpath
33.0 -628.170288 2.75 0 360 arc
closepath
stroke
grestore
44 -631.8 M
2.32752395 0 32 0 0 (Otherwise, send a 200-B4 response. If the session was "wa received" state, the session) A
44 -645 M
0.794531226 0 32 0 0 (SHOULD be changed to an "authenticated" state. The maximum nc and the nc flags of the) A
44 -658.2 M
(state SHOULD be updated properly. ) S
0 -658.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 22 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 23 23
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.647395849 0 32 0 0 (At any time, the server MAY change any state entries with both "rejected" and "authenticated" status) A
0 -26.4 M
2.20078135 0 32 0 0 (to "inactive" status, and MAY discard any "inactive" states from the table. The entries with "wa) A
0 -39.6 M
1.23854172 0 32 0 0 (received" status SHOULD be kept unless there is an emergency situation such as server reboot and) A
0 -52.8 M
(table capacity overflow. ) S
0 -63.8 M
[/View [/XYZ -4 693.2 null] /Dest /62 /DEST pdfmark
0 -63.8 M
[/View [/XYZ -4 693.2 null] /Dest /63 /DEST pdfmark
0 -82.8 M
%%IncludeResource: font Times-Bold
15 2 Nf
(10.) S
[/View [/XYZ -4 692.2 null] /Dest /174 /DEST pdfmark
( Authentication-Control ) S
(header) S
0 -93.8 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -104.8 M
[/View [/XYZ -4 652.2 null] /Dest /64 /DEST pdfmark
0 -115.6 M
%%IncludeResource: font Courier
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(Authentication-Control-header) S
0 -126.4 M
9.0 4 Nf
( = "Authentication-Control" ":" [) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(]) S
0 -137.2 M
9.0 4 Nf
( ) S
9.0 5 Nf
(auth-scheme) S
9.0 4 Nf
( ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(Auth-Ctrl-fields) S
0 -148 M
9.0 4 Nf
( ) S
9.0 5 Nf
(Auth-Ctrl-fields) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(Auth-Ctrl-field) S
0 -158.8 M
9.0 4 Nf
( *\([) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(] "," ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(Auth-Ctrl-field) S
9.0 4 Nf
(\)) S
0 -169.6 M
9.0 4 Nf
( ) S
9.0 5 Nf
(Auth-Ctrl-field) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(loc-when-unauthed) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(loc-when-logout) S
0 -180.4 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(logout-timeout) S
0 -191.2 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(extension-field) S
0 -202 M
9.0 4 Nf
( ) S
9.0 5 Nf
(loc-when-unauthed) S
9.0 4 Nf
( = "location-when-unauthenticated" "=" ) S
9.0 5 Nf
(string) S
0 -212.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(loc-when-logout) S
9.0 4 Nf
( = "location-when-logout" "=" ) S
9.0 5 Nf
(string) S
118.6 -235.7 M
7.63889 2 Nf
(\240Figure\24011: the BNF syntax for the Authentication-Control ) S
(header\240) S
0 -249.6 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -273.8 M
11 0 Nf
3.42513013 0 32 0 0 (The Authentication-Control header gives more precise control for the client behavior for Web) A
0 -287 M
2.21754813 0 32 0 0 (applications using Mutual Access Control Protocol. This headers may usually be generated in an) A
0 -300.2 M
(application layer, as opposed to WWW-Authenticate headers which will be generated by Web servers. ) S
0 -324.4 M
0.129206732 0 32 0 0 (Support of this header is RECOMMENDED for interactive clients and not required for non-interactive) A
0 -337.6 M
1.88972354 0 32 0 0 (clients. Web applications SHOULD consider security impacts of behavior of clients which do not) A
0 -350.8 M
(support this header. ) S
0 -375 M
1.3040365 0 32 0 0 (The "auth-scheme" of this header and other authentication-related headers within the same message) A
0 -388.2 M
1.08723962 0 32 0 0 (MUST be equal. This document does not define any behavior associated with this header, when the) A
0 -401.4 M
("auth-scheme" of this header is not "Mutual". ) S
0 -412.4 M
[/View [/XYZ -4 344.551239 null] /Dest /65 /DEST pdfmark
0 -412.4 M
[/View [/XYZ -4 344.551239 null] /Dest /66 /DEST pdfmark
0 -428 M
13 2 Nf
(10.1.) S
[/View [/XYZ -4 344.551239 null] /Dest /175 /DEST pdfmark
( Location-when-unauthenticated ) S
(field) S
0 -452.2 M
11 0 Nf
(Authentication-Control: Mutual) S
0 -465.4 M
(location-when-unauthenticated="http://www.example.com/login.html" ) S
0 -489.6 M
2.99262142 0 32 0 0 (The field "location-when-unauthenticated" specifies a location which any unauthenticated clients) A
0 -502.8 M
0.637152791 0 32 0 0 (should be redirected to. This header may be used, for example, when there is a central login page for) A
0 -516 M
0.905330896 0 32 0 0 (the whole Web application. The value of this field MUST be a string that contains an absolute URL) A
0 -529.2 M
0.788628459 0 32 0 0 (location. If a given URL is not absolute, clients MAY consider it as a relative URL from the current) A
0 -542.4 M
(location. ) S
0 -566.6 M
2.25390625 0 32 0 0 (This field MAY be used with 401-B0 and 200-Optional-B0 messages; however, use of this with) A
0 -579.8 M
0.126802891 0 32 0 0 (200-Optional-B0 messages is not recommended. If there is a 200-B4, 401-B0-stale or 401-B1 message) A
0 -593 M
(with this field, clients MUST ignore this field. ) S
0 -617.2 M
0.0417352 0 32 0 0 (When a client receives a message with this field, if and only if the client's state after the processing the) A
0 -630.4 M
0.842516422 0 32 0 0 (response is either Step 12 or Step 13 \(i.e., a state in which the client will process response body and) A
0 -643.6 M
0.512586832 0 32 0 0 (ask user's password\), the client will treat the whole response as if it were a 303 "See Other" response) A
0 -656.8 M
2.05836391 0 32 0 0 (with a Location header with the value of this field \(i.e., client will be redirected to the specified) A
0 -670 M
0.845312476 0 32 0 0 (location with a GET request\). Unlike a normal 303 response, if the client can proceed authentication) A
0 -670 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 23 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 24 24
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(without user's interaction \(like steps 3, 4, 8, 9 and 10\), this field is ignored. ) S
0 -37.4 M
11 0 Nf
0.45 0 32 0 0 (The specified location SHOULD be included in a set of locations specified in the "auth-domain" field) A
0 -50.6 M
(of the corresponding 401-B0 message. If this is not satisfied, clients MAY ignore this field. ) S
0 -61.6 M
[/View [/XYZ -4 695.4 null] /Dest /67 /DEST pdfmark
0 -61.6 M
[/View [/XYZ -4 695.4 null] /Dest /68 /DEST pdfmark
0 -77.2 M
%%IncludeResource: font Times-Bold
13 2 Nf
(10.2.) S
[/View [/XYZ -4 695.4 null] /Dest /176 /DEST pdfmark
( Location-when-logout ) S
(field) S
0 -101.4 M
11 0 Nf
(Authentication-Control: Mutual location-when-logout="http://www.example.com/byebye.html" ) S
0 -125.6 M
1.03013396 0 32 0 0 (The field "location-when-logout" specifies a location where the client is to be redirected when users) A
0 -138.8 M
1.66772461 0 32 0 0 (request logout explicitly. The value of this field MUST be a string that contains an absolute URL) A
0 -152 M
0.788628459 0 32 0 0 (location. If a given URL is not absolute, clients MAY consider it as a relative URL from the current) A
0 -165.2 M
(location. ) S
0 -189.4 M
3.58537936 0 32 0 0 (This field MAY be used with 200-B4 messages. If there is a 401-B0, 401-B1, 401-B0-stale,) A
0 -202.6 M
(200-Optional-B0 or normal 200 message with this field, clients MUST ignore this field. ) S
0 -226.8 M
2.41380215 0 32 0 0 (When users of a client request to terminate an authentication session, and if the client currently) A
0 -240 M
1.44577205 0 32 0 0 (displays a page supplied by a response with this field, the client will be redirected to the specified) A
0 -253.2 M
0.868652344 0 32 0 0 (location by a new GET request \(like received a 303 response\), instead of reloading the page without) A
0 -266.4 M
3.06610584 0 32 0 0 (authentication credentials. It is recommendable for Web applications to send this field with an) A
0 -279.6 M
2.66243482 0 32 0 0 (appropriate value for any responses \(except those with redirection \(3XX\) statuses\) for non-GET) A
0 -292.8 M
(requests. ) S
0 -303.8 M
[/View [/XYZ -4 453.199982 null] /Dest /69 /DEST pdfmark
0 -303.8 M
[/View [/XYZ -4 453.199982 null] /Dest /70 /DEST pdfmark
0 -319.4 M
13 2 Nf
(10.3.) S
[/View [/XYZ -4 453.199982 null] /Dest /177 /DEST pdfmark
( ) S
(Logout-timeout) S
0 -343.6 M
11 0 Nf
(Authentication-Control: Mutual logout-timeout=300 ) S
0 -367.8 M
6.78683043 0 32 0 0 (The field "logout-timeout" has the same meaning as the field of the same name in) A
0 -381 M
1.43629813 0 32 0 0 ("Authentication-Info" headers. This field will be used with 200-B4 messages. If both are specified,) A
0 -394.2 M
(clients are recommended to use the one with the smaller value. ) S
0 -405.2 M
[/View [/XYZ -4 351.799927 null] /Dest /71 /DEST pdfmark
0 -405.2 M
[/View [/XYZ -4 351.799927 null] /Dest /72 /DEST pdfmark
0 -424.2 M
15 2 Nf
(11.) S
[/View [/XYZ -4 350.799927 null] /Dest /178 /DEST pdfmark
( Authentication ) S
(Algorithms) S
0 -448.4 M
11 0 Nf
0.81640625 0 32 0 0 (This document specifies only one family of the authentication algorithm. The family consists of four) A
0 -461.6 M
4.74726582 0 32 0 0 (authentication algorithms, which only differ in underlying mathematical groups and security) A
0 -474.8 M
(parameters. The algorithms do not add any additional fields. The tokens for algorithms ) S
(are) S
11 -495.4 M
gsave
0 setgray
newpath
11.0 -495.370117 2.75 0 360 arc
closepath
fill
grestore
22 -499 M
1.33897567 0 32 0 0 (iso-kam3-ec-p256-sha256: for the 256-bit prime-field elliptic-curve setting with SHA-256 hash) A
22 -512.2 M
(function. ) S
11 -522.8 M
gsave
0 setgray
newpath
11.0 -522.770142 2.75 0 360 arc
closepath
fill
grestore
22 -526.4 M
1.33897567 0 32 0 0 (iso-kam3-ec-p521-sha512: for the 521-bit prime-field elliptic-curve setting with SHA-512 hash) A
22 -539.6 M
(function. ) S
11 -550.2 M
gsave
0 setgray
newpath
11.0 -550.170166 2.75 0 360 arc
closepath
fill
grestore
22 -553.8 M
4.74804688 0 32 0 0 (iso-kam3-dl-2048-sha256: for the 2048-bit discrete-logarithm setting with SHA-256 hash) A
22 -567 M
(function. ) S
11 -577.6 M
gsave
0 setgray
newpath
11.0 -577.57019 2.75 0 360 arc
closepath
fill
grestore
22 -581.2 M
4.74804688 0 32 0 0 (iso-kam3-dl-4096-sha512: for the 4096-bit discrete-logarithm setting with SHA-512 hash ) A
22 -594.4 M
(function.) S
0 -618.6 M
0.00989583321 0 32 0 0 (For the elliptic-curve settings, the underlying groups are the elliptic curves over prime fields P-256 and) A
0 -631.8 M
5.1703124 0 32 0 0 (P-521, respectively, specified in the appendix\240D.1.2 of ) A
gsave
newpath
278.7 -632.9 M
59.2312508 0 RL
stroke
grestore
5.1703124 0 32 0 0 (FIPS PUB ) A
gsave
newpath
337.9 -632.9 M
25.6601562 0 RL
stroke
grestore
5.1703124 0 32 0 0 (186-3) A
[/Rect [277.691406 -634.550232 364.578125 -622.450256] /Subtype /Link /Border [0 0 0] /Dest /101 /ANN pdfmark
5.1703124 0 32 0 0 ( [FIPS.186-3.2009]) A
0 -645 M
1.92996657 0 32 0 0 (specification. The hash functions H are SHA-256 for P-256 curve and SHA-512 for P-521 curve,) A
0 -658.2 M
0.666766822 0 32 0 0 (respectively, defined in ) A
gsave
newpath
107.7 -659.3 M
50.2241592 0 RL
stroke
grestore
0.666766822 0 32 0 0 (FIPS PUB ) A
gsave
newpath
157.9 -659.3 M
25.6601562 0 RL
stroke
grestore
0.666766822 0 32 0 0 (180-2) A
[/Rect [106.660156 -660.950256 184.539062 -648.850281] /Subtype /Link /Border [0 0 0] /Dest /100 /ANN pdfmark
0.666766822 0 32 0 0 ( [FIPS.180-2.2002]. The representation of fields wa, wb, oa,) A
0 -671.4 M
(and ob is hex-fixed-number. ) S
0 -671.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 24 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 25 25
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
3.174716 0 32 0 0 (For discrete-logarithm settings, the underlying groups are 2048-bit and 4096-bit MODP groups) A
0 -26.4 M
2.21875 0 32 0 0 (defined in ) A
gsave
newpath
51.5 -27.5 M
50.1054688 0 RL
stroke
grestore
2.21875 0 32 0 0 ([RFC3526]) A
[/Rect [50.4726562 -29.1500015 102.578125 -17.0500011] /Subtype /Link /Border [0 0 0] /Dest /104 /ANN pdfmark
2.21875 0 32 0 0 (, respectively. See ) A
gsave
newpath
191 -27.5 M
53.4648438 0 RL
stroke
grestore
2.21875 0 32 0 0 (Appendix\240B) A
[/Rect [189.996094 -29.1500015 245.460938 -17.0500011] /Subtype /Link /Border [0 0 0] /Dest /123 /ANN pdfmark
2.21875 0 32 0 0 ( for the exact specification of the group and) A
0 -39.6 M
0.0911458358 0 32 0 0 (associated parameters. The hash functions H are SHA-256 for the 2048-bit group and SHA-512 for the) A
0 -52.8 M
(4096-bit group, respectively. The representation of fields wa, wb, oa, and ob is base64-fixed-number. ) S
0 -77 M
2.97230124 0 32 0 0 (The clients SHOULD support at least "iso-kam3-dl-2048-sha256" algorithm, and are advised to) A
0 -90.2 M
2.17610669 0 32 0 0 (support all of the above four algorithms whenever possible. The server software implementations) A
0 -103.4 M
0.256911069 0 32 0 0 (SHOULD support at least "iso-kam3-dl-2048-sha256" algorithm, unless it is known that users will not) A
0 -116.6 M
(use it. ) S
0 -140.8 M
0.408203125 0 32 0 0 (Note: This algorithm is based on the Key Agreement Mechanism 3 \(KAM3\) defined in Section 6.3 of ) A
0 -154 M
gsave
newpath
0 -155.1 M
49.4101562 0 RL
stroke
grestore
8.17578125 0 32 0 0 (ISO/IEC ) A
gsave
newpath
49.4 -155.1 M
36.6601562 0 RL
stroke
grestore
8.17578125 0 32 0 0 (11770-4) A
[/Rect [-1.0 -156.749985 87.0703125 -144.649979] /Subtype /Link /Border [0 0 0] /Dest /111 /ANN pdfmark
8.17578125 0 32 0 0 ( [ISO.11770-4.2006] with a few modifications/improvements. However,) A
0 -167.2 M
1.37469947 0 32 0 0 (implementers should use this document as the normative reference, because the algorithm has been) A
0 -180.4 M
(changed in several minor details as well as major improvements. ) S
0 -191.4 M
[/View [/XYZ -4 565.600037 null] /Dest /73 /DEST pdfmark
0 -191.4 M
[/View [/XYZ -4 565.600037 null] /Dest /74 /DEST pdfmark
0 -207 M
%%IncludeResource: font Times-Bold
13 2 Nf
(11.1.) S
[/View [/XYZ -4 565.600037 null] /Dest /179 /DEST pdfmark
( Support functions and ) S
(notations) S
0 -231.2 M
11 0 Nf
(The algorithm definitions use several support functions and notations defined ) S
(below:) S
0 -255.4 M
(The integers in the specification is decimal, or hexadecimal when prefixed with ) S
("0x".) S
0 -279.6 M
1.30009186 0 32 0 0 (The function octet\(c\) generates a single octet string whose code value is equal to c. The operator |,) A
0 -292.8 M
(when applied to octet strings, denotes the concatenation of two ) S
(operands.) S
0 -317 M
1.88616073 0 32 0 0 (The function VI encodes natural numbers into octet strings in the following manner: numbers are) A
0 -330.2 M
0.163783476 0 32 0 0 (represented in big-endian radix-128 string, where each digit is represented by a octet within 0x80\2350xff) A
0 -343.4 M
0.217285156 0 32 0 0 (except the last digit represented by a octet within 0x00\2350x7f. The first octet MUST\240NOT be 0x80. For) A
0 -356.6 M
0.31266275 0 32 0 0 (example, VI\(i\) = octet\(i\) for i < 128, and VI\(i\) = octet\(0x80 + \(i >> 7\)\) | octet\(i & 127\) for 128 <= i <) A
0 -369.8 M
0.0597426482 0 32 0 0 (16384. This encoding is the same as the one used for subcomponents of object identifiers in ) A
gsave
newpath
407.5 -370.9 M
46.5117188 0 RL
stroke
grestore
0.0597426482 0 32 0 0 (the ASN.1 ) A
[/Rect [406.488281 -372.550049 457.789062 -360.450043] /Subtype /Link /Border [0 0 0] /Dest /112 /ANN pdfmark
0 -383 M
gsave
newpath
0 -384.1 M
40.3203125 0 RL
stroke
grestore
0.133091524 0 32 0 0 (encoding) A
[/Rect [-1.0 -385.750061 41.3203125 -373.650055] /Subtype /Link /Border [0 0 0] /Dest /112 /ANN pdfmark
0.133091524 0 32 0 0 ( [ITU.X690.1994], and available as a "w" conversion in the pack function of several scripting) A
0 -396.2 M
(languages. ) S
0 -420.4 M
2.91640615 0 32 0 0 (The function VS encodes variable-length octet string into uniquely-decoded, self-delimited octet) A
0 -433.6 M
(string, as in the following manner: ) S
0 -457.8 M
(VS\(s\) = VI\(length\(s\)\) | s ) S
0 -482 M
(where length\(s\) is a number of octets \(not characters\) in s. ) S
0 -506.2 M
2.7606535 0 32 0 0 ([Editorial note: Unlike the colon-separated notion used in the Basic/Digest HTTP authentication) A
0 -519.4 M
0.752790153 0 32 0 0 (scheme, the string generated by a concatenation of the VS-encoded strings will be unique, regardless) A
0 -532.6 M
(of the characters included in the strings encoded.] ) S
0 -556.8 M
0.824869812 0 32 0 0 (The function OCTETS converts an integer to corresponding radix-256 big-endian octet string having) A
0 -570 M
(its natural length: See ) S
gsave
newpath
98.3 -571.1 M
49.4882812 0 RL
stroke
grestore
(Section\2403.2) S
[/Rect [97.3476562 -572.750183 148.835938 -560.650208] /Subtype /Link /Border [0 0 0] /Dest /23 /ANN pdfmark
( for the definition of the "natural length". ) S
0 -594.2 M
2.67103791 0 32 0 0 (Note: The definition of OCTETS\(\) is different from the function GE2OS_x in the original ISO) A
0 -607.4 M
(specification, which takes the shortest representation. ) S
0 -618.4 M
[/View [/XYZ -4 138.599792 null] /Dest /75 /DEST pdfmark
0 -618.4 M
[/View [/XYZ -4 138.599792 null] /Dest /76 /DEST pdfmark
0 -618.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 25 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 26 26
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -15.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(11.2.) S
[/View [/XYZ -4 757.0 null] /Dest /180 /DEST pdfmark
( Common functions for both ) S
(settings) S
0 -39.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The password-based string pi used by this authentication is derived in the following manner: ) S
0 -64 M
(pi = H\(VS\(algorithm\) | VS\(auth-domain\) | VS\(realm\) | VS\(username\) | VS\(ph\(password\)\). ) S
0 -88.2 M
0.181152344 0 32 0 0 (The values of algorithm, realm and auth-domain are taken from the values contained in the 401-B0 \(or) A
0 -101.4 M
1.80104172 0 32 0 0 (200-Optional-B0, hereafter implied\) message. When pi is used in the context of an octet string, it) A
0 -114.6 M
1.02604163 0 32 0 0 (SHALL have the natural length derived from the size of the output of function H \(e.g. 32 octets for) A
0 -127.8 M
0.527573526 0 32 0 0 (SHA-256\). The function ph is defined by the value of the pwd-hash field given in a 401-B0 message.) A
0 -141 M
(The password SHALL be encoded as a UTF-8 string before passed to ph. ) S
0 -165.2 M
(The values o_A and o_B are derived by the following equation. ) S
0 -189.4 M
(o_A = H\(octet\(4\) | OCTETS\(w_A\) | OCTETS\(w_B\) | OCTETS\(z\) | VI\(nc\) | VS\(v\)\) ) S
0 -202.6 M
(o_B = H\(octet\(3\) | OCTETS\(w_A\) | OCTETS\(w_B\) | OCTETS\(z\) | VI\(nc\) | VS\(v\)\) ) S
0 -226.8 M
0.0869140625 0 32 0 0 (The equations for J, w_A, T, z, and w_B are specified differently for the discrete-logarithm setting and) A
0 -240 M
(the elliptic-curve setting. These equations are defined later in this section. ) S
0 -251 M
[/View [/XYZ -4 506.000031 null] /Dest /77 /DEST pdfmark
0 -251 M
[/View [/XYZ -4 506.000031 null] /Dest /78 /DEST pdfmark
0 -266.6 M
13 2 Nf
(11.3.) S
[/View [/XYZ -4 506.000031 null] /Dest /181 /DEST pdfmark
( Functions for discrete-logarithm ) S
(settings) S
0 -290.8 M
11 0 Nf
0.471726179 0 32 0 0 (In this section, the equation \(x / y mod z\) denotes a natural number w less than z which satisfies \(w *) A
0 -304 M
(y\) mod z = x mod z. ) S
0 -328.2 M
(For the discrete-logarithm, we refer some of the domain parameters by the following symbols: ) S
11 -348.8 M
gsave
0 setgray
newpath
11.0 -348.77002 2.75 0 360 arc
closepath
fill
grestore
22 -352.4 M
(q: for "the prime" of the group. ) S
11 -363 M
gsave
0 setgray
newpath
11.0 -362.970032 2.75 0 360 arc
closepath
fill
grestore
22 -366.6 M
(g: for "the generator" associated with the group. ) S
11 -377.2 M
gsave
0 setgray
newpath
11.0 -377.170044 2.75 0 360 arc
closepath
fill
grestore
22 -380.8 M
(r: for the order of the subgroup generated by ) S
(g.) S
0 -405 M
(The function J is defined as ) S
0 -429.2 M
(J\(pi\) = g^\(pi\) mod q. ) S
0 -453.4 M
(The value of w_A is derived as ) S
0 -477.6 M
(w_A = g^\(s_A\) mod q, ) S
0 -501.8 M
0.109188989 0 32 0 0 (where s_A is a random integer within range [1, r-1] and r is the size of the subgroup generated by g. In) A
0 -515 M
(addition, s_A MUST be larger than log\(q\)/log\(g\) \(so that g^\(s_A\) > q\). ) S
0 -539.2 M
2.07927394 0 32 0 0 (The value of w_A SHALL satisfy 1 < w_A < q-1. The server MUST check this condition upon) A
0 -552.4 M
(reception. ) S
0 -576.6 M
(The value of w_B is derived from J\(pi\) and w_A as: ) S
0 -600.8 M
(w_B = \(J\(pi\) * w_A^\(H\(octet\(1\) | OCTETS\(w_A\)\)\)\)^s_B mod q, ) S
0 -625 M
0.286328137 0 32 0 0 (where s_B is a random number within range [1, r-1]. The value of w_B MUST satisfy 1 < w_B < q-1.) A
0 -638.2 M
0.0744357631 0 32 0 0 (If this condition is not hold, the server MUST retry with another value of s_B. The client MUST check) A
0 -651.4 M
(this condition upon reception. ) S
0 -651.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 26 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 27 27
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The value z in the client side is derived by the following equation: ) S
0 -37.4 M
0.037224263 0 32 0 0 (z = w_B^\(\(s_A + H\(octet\(2\) | OCTETS\(w_A\) | OCTETS\(w_B\)\)\) / \(s_A * H\(octet\(1\) | w_A\) + pi\) mod) A
0 -50.6 M
(r\) mod q. ) S
0 -74.8 M
(The value z in the server side is derived by the following equation: ) S
0 -99 M
(z = \(w_A * g^\(H\(octet\(2\) | OCTETS\(w_A\) | OCTETS\(w_B\)\)\)\)^s_B mod q. ) S
0 -110 M
[/View [/XYZ -4 647.0 null] /Dest /79 /DEST pdfmark
0 -110 M
[/View [/XYZ -4 647.0 null] /Dest /80 /DEST pdfmark
0 -125.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(11.4.) S
[/View [/XYZ -4 647.0 null] /Dest /182 /DEST pdfmark
( Functions for elliptic-curve ) S
(settings) S
0 -149.8 M
11 0 Nf
(For the elliptic-curve setting, we refer some of the domain parameters by the following symbols: ) S
11 -170.4 M
gsave
0 setgray
newpath
11.0 -170.37001 2.75 0 360 arc
closepath
fill
grestore
22 -174 M
(q: for the prime used to define the group, ) S
11 -184.6 M
gsave
0 setgray
newpath
11.0 -184.57 2.75 0 360 arc
closepath
fill
grestore
22 -188.2 M
(G: for the defined point called the generator, ) S
11 -198.8 M
gsave
0 setgray
newpath
11.0 -198.77 2.75 0 360 arc
closepath
fill
grestore
22 -202.4 M
(r: for the order of the subgroup generated by ) S
(G.) S
0 -226.6 M
0.138085932 0 32 0 0 (The function P\(p\) converts a curve point p to an integer representing the point p, by computing x * 2 +) A
0 -239.8 M
0.548117876 0 32 0 0 (\(y mod 2\), where \(x, y\) are the coordinates of the point p. P'\(z\) is the inverse of function P, that is, it) A
0 -253 M
1.19419646 0 32 0 0 (converts an integer z to a point p which satisfies P\(p\) = z. If such p is exist, it is uniquely defined.) A
0 -266.2 M
5.48723936 0 32 0 0 (Otherwise, z does not represent a valid curve point. The operation [x] * p denotes an) A
0 -279.4 M
3.16471362 0 32 0 0 (integer-multiplication of point p: it calculates p + p + ... \(x times\) ... + p. See literatures on) A
0 -292.6 M
1.16346157 0 32 0 0 (elliptic-curve cryptography for the exact algorithms for those. 0_E represents the infinity point. The) A
0 -305.8 M
0.279891312 0 32 0 0 (equation \(x / y mod z\) denotes an natural number w less than z which satisfies \(w * y\) mod z = x mod) A
0 -319 M
(z. ) S
0 -343.2 M
(the function J is defined as ) S
0 -367.4 M
(J\(pi\) = [pi] * G. ) S
0 -391.6 M
(The value of w_A is derived as ) S
0 -415.8 M
(w_A = P\(W_A\), where W_A = [s_A] * G. ) S
0 -440 M
0.178602427 0 32 0 0 (where s_A is a random number within range [1, r-1]. The value of w_A MUST represent a valid curve) A
0 -453.2 M
(point, and W_A SHALL\240NOT be 0_E. The server MUST check this condition upon reception. ) S
0 -477.4 M
(The value of w_B is derived from J\(pi\) and W_A = P'\(w_A\) as: ) S
0 -501.6 M
(w_B = P\(W_B\), where W_B = [s_B] * \(J\(pi\) + [H\(octet\(1\) | OCTETS\(w_A\)\)] * W_A\). ) S
0 -525.8 M
0.245876729 0 32 0 0 (where s_B is a random number within range [1, r-1]. The value of w_B MUST represent a valid curve) A
0 -539 M
0.877821207 0 32 0 0 (point and satisfy [4] * P'\(w_B\) <> 0_E. If this condition does not hold, the server MUST retry with) A
0 -552.2 M
(another value of s_B. The client MUST check this condition upon reception. ) S
0 -576.4 M
(The value z in the client side is derived by the following equation: ) S
0 -600.6 M
0.346354157 0 32 0 0 (z = P\([\(s_A + H\(octet\(2\) | OCTETS\(w_A\) | OCTETS\(w_B\)\)\) / \(s_A * H\(octet\(1\) | OCTETS\(w_A\)\) +) A
0 -613.8 M
(pi\) mod r] * W_B\), where W_B = P'\(w_B\). ) S
0 -638 M
(The value z in the server side is derived by the following equation: ) S
0 -638 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 27 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 28 28
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(z = P\([s_B] * \(W_A + [H\(octet\(2\) | OCTETS\(w_A\) | OCTETS\(w_B\)\)] * G\)\), where W_A = P'\(w_A\). ) S
0 -24.2 M
[/View [/XYZ -4 732.8 null] /Dest /81 /DEST pdfmark
0 -24.2 M
[/View [/XYZ -4 732.8 null] /Dest /82 /DEST pdfmark
0 -43.2 M
%%IncludeResource: font Times-Bold
15 2 Nf
(12.) S
[/View [/XYZ -4 731.8 null] /Dest /183 /DEST pdfmark
( Methods to extend this ) S
(protocol) S
0 -67.4 M
11 0 Nf
1.60044646 0 32 0 0 (If a non-standard extension to the this protocol is implemented, it MUST use the extension-tokens) A
0 -80.6 M
(defined in ) S
gsave
newpath
47 -81.7 M
41.2382812 0 RL
stroke
grestore
(Section\2403) S
[/Rect [46.0351562 -83.3500061 89.2734375 -71.2500076] /Subtype /Link /Border [0 0 0] /Dest /18 /ANN pdfmark
( to avoid conflicts with this protocol and other extensions. ) S
0 -104.8 M
1.13020837 0 32 0 0 (Authentication algorithms other than those defined in this document MAY use other representations) A
0 -118 M
0.8203125 0 32 0 0 (for keys "wa", "wb", "oa" and "ob", replace those keys, and/or add fields to the messages containing) A
0 -131.2 M
0.590625 0 32 0 0 (those fields by supplemental specifications. Two-octet keys from "wc" to "wz" and from "oc" to "oz") A
0 -144.4 M
3.81796885 0 32 0 0 (are reserved for this purpose. If those specifications use keys other than shown above, it is) A
0 -157.6 M
0.823567688 0 32 0 0 (RECOMMENDED to use extension-tokens to avoid any key-name conflict with the future extension) A
0 -170.8 M
(of this protocol. ) S
0 -195 M
0.012019231 0 32 0 0 (Extension-tokens MAY be freely used for any non-standard, private and/or experimental uses for those) A
0 -208.2 M
(fields provided that the domain part in the token is appropriately used. ) S
0 -219.2 M
[/View [/XYZ -4 537.800049 null] /Dest /83 /DEST pdfmark
0 -219.2 M
[/View [/XYZ -4 537.800049 null] /Dest /84 /DEST pdfmark
0 -238.2 M
15 2 Nf
(13.) S
[/View [/XYZ -4 536.800049 null] /Dest /184 /DEST pdfmark
( IANA ) S
(Considerations) S
0 -262.4 M
11 0 Nf
0.774088562 0 32 0 0 (The tokens used for authentication-algorithm, pwd-hash, and validation fields MUST be allocated by) A
0 -275.6 M
0.659423828 0 32 0 0 (IANA. To acquire registered tokens, a specification for the use of such tokens MUST be available as) A
0 -288.8 M
(an RFC, as outlined in ) S
gsave
newpath
101.4 -289.9 M
50.1054688 0 RL
stroke
grestore
([RFC5226]) S
[/Rect [100.429688 -291.550018 152.535156 -279.45] /Subtype /Link /Border [0 0 0] /Dest /116 /ANN pdfmark
(. ) S
0 -313 M
(Note: More formal declarations will be added in future drafts to meet RFC 5226 requirements. ) S
0 -324 M
[/View [/XYZ -4 432.999969 null] /Dest /85 /DEST pdfmark
0 -324 M
[/View [/XYZ -4 432.999969 null] /Dest /86 /DEST pdfmark
0 -343 M
15 2 Nf
(14.) S
[/View [/XYZ -4 431.999969 null] /Dest /185 /DEST pdfmark
( Security ) S
(Considerations) S
0 -350.5 M
[/View [/XYZ -4 406.499969 null] /Dest /87 /DEST pdfmark
0 -350.5 M
[/View [/XYZ -4 406.499969 null] /Dest /88 /DEST pdfmark
0 -369 M
13 2 Nf
(14.1.) S
[/View [/XYZ -4 403.599976 null] /Dest /186 /DEST pdfmark
( Security ) S
(Properties) S
11 -389.6 M
gsave
0 setgray
newpath
11.0 -389.570038 2.75 0 360 arc
closepath
fill
grestore
22 -393.2 M
11 0 Nf
1.03027344 0 32 0 0 (The protocol is secure against passive eavesdropping and replay attacks. However, the protocol) A
22 -406.4 M
1.61490881 0 32 0 0 (relies on transport security including DNS integrity for data secrecy and integrity. HTTP/TLS) A
22 -419.6 M
(SHOULD be used where transport security is not assured and/or data secrecy is important. ) S
11 -430.2 M
gsave
0 setgray
newpath
11.0 -430.170074 2.75 0 360 arc
closepath
fill
grestore
22 -433.8 M
1.44621396 0 32 0 0 (When used with HTTP/TLS, if TLS server certificates are reliably verified, the protocol gives) A
22 -447 M
(true protection against active man-in-the-middle attacks. ) S
11 -457.6 M
gsave
0 setgray
newpath
11.0 -457.570099 2.75 0 360 arc
closepath
fill
grestore
22 -461.2 M
1.55807292 0 32 0 0 (Even if the server certificate is not used or is unreliable, the protocol gives protection against) A
22 -474.4 M
1.015625 0 32 0 0 (active man-in-the-middle attacks for each HTTP request/response pair. However, in such cases,) A
22 -487.6 M
1.931108 0 32 0 0 (JavaScript or similar scripting facilities can be used to affect Mutually-authenticated contents) A
22 -500.8 M
0.858538 0 32 0 0 (from other contents not protected by this authentication mechanism. This is the reason why this) A
22 -514 M
(protocol requires that valid TLS server certificates MUST be presented ) S
(\() S
gsave
newpath
341.4 -515.1 M
41.2382812 0 RL
stroke
grestore
(Section\2407) S
[/Rect [340.433594 -516.750122 383.671875 -504.650116] /Subtype /Link /Border [0 0 0] /Dest /55 /ANN pdfmark
(\). ) S
0 -525 M
[/View [/XYZ -4 231.999878 null] /Dest /89 /DEST pdfmark
0 -525 M
[/View [/XYZ -4 231.999878 null] /Dest /90 /DEST pdfmark
0 -540.6 M
13 2 Nf
(14.2.) S
[/View [/XYZ -4 231.999878 null] /Dest /187 /DEST pdfmark
( Denial-of-service attacks to ) S
(servers) S
0 -564.8 M
11 0 Nf
0.717529297 0 32 0 0 (The protocol requires a server-side table of active sessions, which may become a critical point of the) A
0 -578 M
3.09014416 0 32 0 0 (server resource consumptions. For proper operation, the protocol requires that at least one key) A
0 -591.2 M
0.789963961 0 32 0 0 (verification request is processed for each session identifier. After that, servers MAY discard sessions) A
0 -604.4 M
2.75721145 0 32 0 0 (internally at any time, without causing any operational problems to clients. Clients will silently) A
0 -617.6 M
(reestablishes a new session then. ) S
0 -628.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 28 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 29 29
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.53794646 0 32 0 0 (However, if a malicious client sends too many requests of key exchanges \(req-A1 messages\) only,) A
0 -26.4 M
0.665178597 0 32 0 0 (resource starvation might occur. In such critical situations, servers MAY discard any kind of existing) A
0 -39.6 M
1.0222168 0 32 0 0 (sessions regardless of these statuses. One way to mitigate such attacks are that servers MAY have a) A
0 -52.8 M
(number and a time limits for unverified pending key exchange requests \(in the "wa received" status\). ) S
0 -77 M
0.291927069 0 32 0 0 (This is a common weakness of authentication protocols with almost any kind of negotiations or states,) A
0 -90.2 M
3.79199219 0 32 0 0 (including Digest authentication method and most Cookie-based authentication implementations.) A
0 -103.4 M
1.49038458 0 32 0 0 (However, regarding the resource consumption, a situation of the mutual authentication method is a) A
0 -116.6 M
0.117745534 0 32 0 0 (slightly better than the Digest, because HTTP requests without any kind of authentication requests will) A
0 -129.8 M
1.74780273 0 32 0 0 (not generate any kind of sessions. Session identifiers are only generated after a client starts a key) A
0 -143 M
3.7232573 0 32 0 0 (negotiation. It means that simple clients such as web crawlers will not accidentally consume) A
0 -156.2 M
(server-side resources for session managements. ) S
0 -167.2 M
[/View [/XYZ -4 589.800049 null] /Dest /91 /DEST pdfmark
0 -167.2 M
[/View [/XYZ -4 589.800049 null] /Dest /92 /DEST pdfmark
0 -182.8 M
%%IncludeResource: font Times-Bold
13 2 Nf
(14.3.) S
[/View [/XYZ -4 589.800049 null] /Dest /188 /DEST pdfmark
( Implementation ) S
(Considerations) S
11 -203.4 M
gsave
0 setgray
newpath
11.0 -203.37 2.75 0 360 arc
closepath
fill
grestore
22 -207 M
11 0 Nf
2.0110085 0 32 0 0 (To securely implement the protocol, the Authentication-Info headers in the 200-B4 messages) A
22 -220.2 M
1.20898438 0 32 0 0 (MUST always be validated by the client. If the validation fails, the client MUST\240NOT process) A
22 -233.4 M
0.736778855 0 32 0 0 (any content sent with the message, including the body part. Non-compliance to this requirement) A
22 -246.6 M
(will allow phishing attacks. ) S
11 -257.2 M
gsave
0 setgray
newpath
11.0 -257.169983 2.75 0 360 arc
closepath
fill
grestore
22 -260.8 M
1.88151038 0 32 0 0 (The authentication status on the client-side SHOULD be visible to the users of the client. In) A
22 -274 M
1.13671875 0 32 0 0 (addition, the method for asking user's name and passwords SHOULD be carefully designed so) A
22 -287.2 M
0.575892866 0 32 0 0 (that \(1\) the user can easily distinguish request of this authentication methods from other existing) A
22 -300.4 M
2.26382208 0 32 0 0 (authentication methods such as Basic and Digest methods, and \(2\) the Web contents cannot) A
22 -313.6 M
(imitate the user-interfaces for this protocol. ) S
22 -326.8 M
4.52587891 0 32 0 0 (An informational memo regarding user-interface considerations and recommendations for) A
22 -340 M
(implementing this protocol will be separately published. ) S
11 -350.6 M
gsave
0 setgray
newpath
11.0 -350.570068 2.75 0 360 arc
closepath
fill
grestore
22 -354.2 M
2.05703115 0 32 0 0 (For HTTP/TLS communications, when a web form is submitted from Mutually-authenticated) A
22 -367.4 M
0.252757341 0 32 0 0 (pages with the validation methods of "tls-cert" to a URI which is protected by the same realm \(so) A
22 -380.6 M
2.2927084 0 32 0 0 (indicated by the path field\), if server certificate has been changed since the pages has been) A
22 -393.8 M
2.73587751 0 32 0 0 (received, the peer is RECOMMENDED to be revalidated using a req-A1 message with an) A
22 -407 M
1.01262021 0 32 0 0 ("Expect: 100-continue" header. The same applies when the page is received with the validation) A
22 -420.2 M
(methods of "tls-key", and when the TLS session has been expired. ) S
11 -430.8 M
gsave
0 setgray
newpath
11.0 -430.770142 2.75 0 360 arc
closepath
fill
grestore
22 -434.4 M
2.38551688 0 32 0 0 (Server-side storage of user passwords are advised to have the values encrypted by one-way) A
22 -447.6 M
(function J\(pi\), instead of the real passwords, those hashed by ph, or pi. ) S
0 -458.6 M
[/View [/XYZ -4 298.399841 null] /Dest /93 /DEST pdfmark
0 -458.6 M
[/View [/XYZ -4 298.399841 null] /Dest /94 /DEST pdfmark
0 -474.2 M
13 2 Nf
(14.4.) S
[/View [/XYZ -4 298.399841 null] /Dest /189 /DEST pdfmark
( Usage ) S
(Considerations) S
11 -494.8 M
gsave
0 setgray
newpath
11.0 -494.770172 2.75 0 360 arc
closepath
fill
grestore
22 -498.4 M
11 0 Nf
2.14787936 0 32 0 0 (The user-names inputted by user may be sent automatically to any servers sharing the same) A
22 -511.6 M
0.949869812 0 32 0 0 (auth-domain. This means that when host-type auth-domain is used for authentication in HTTPS) A
22 -524.8 M
1.14817703 0 32 0 0 (site, and when an HTTP server on the same host requests Mutual authentication with the same) A
22 -538 M
1.61006439 0 32 0 0 (realm, the client will send the user-name in a clear text. If user-names have to be kept secret) A
22 -551.2 M
2.6421876 0 32 0 0 (against eavesdropping, the server must use full-scheme-type auth-domain parameter. On the) A
22 -564.4 M
(contrary, passwords are not exposed to eavesdroppers even on HTTP requests. ) S
11 -575 M
gsave
0 setgray
newpath
11.0 -574.970215 2.75 0 360 arc
closepath
fill
grestore
22 -578.6 M
0.458007812 0 32 0 0 ("Pwd_hash" field is only provided for backward compatibility for password databases, and using) A
22 -591.8 M
0.743088961 0 32 0 0 ("none" function is the mostly secure choice and RECOMMENDED. If values other than "none") A
22 -605 M
1.06571686 0 32 0 0 (is used, you must ensure that the hash values of the passwords were not exposed to the public.) A
22 -618.2 M
1.92897725 0 32 0 0 (Note that hashed password databases for plain-text authentications are usually not considered) A
22 -631.4 M
(secret. ) S
11 -642 M
gsave
0 setgray
newpath
11.0 -641.970276 2.75 0 360 arc
closepath
fill
grestore
22 -645.6 M
0.296354175 0 32 0 0 (If the server provides several ways of storing server-side password database, it is advised to store) A
22 -658.8 M
0.00833333377 0 32 0 0 (the values encrypted by one-way function J\(pi\), instead of the real passwords, those hashed by ph,) A
22 -658.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 29 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 30 30
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(or pi. ) S
0 -24.2 M
[/View [/XYZ -4 732.8 null] /Dest /95 /DEST pdfmark
0 -24.2 M
[/View [/XYZ -4 732.8 null] /Dest /96 /DEST pdfmark
0 -43.2 M
%%IncludeResource: font Times-Bold
15 2 Nf
(15.) S
[/View [/XYZ -4 731.8 null] /Dest /190 /DEST pdfmark
( Notice on intellectual ) S
(properties) S
0 -67.4 M
11 0 Nf
0.270432681 0 32 0 0 (The National Institute of Advanced Industrial Science and Technology \(AIST\) and Yahoo! Japan, Inc.) A
0 -80.6 M
1.53348219 0 32 0 0 (has jointly submitted a patent application about the protocol proposed in this documentation to the) A
0 -93.8 M
0.532769084 0 32 0 0 (Patent Office of Japan. The patent is intended to be open to any implementors of this protocol and its) A
0 -107 M
0.0552455373 0 32 0 0 (variants under non-exclusive royalty-free manner. For the detail of the patent application and its status,) A
0 -120.2 M
(please contact the author of this document. ) S
0 -144.4 M
5.14531231 0 32 0 0 (The elliptic-curve based authentication algorithms might involve several existing patents of) A
0 -157.6 M
1.55625 0 32 0 0 (third-parties. The authors of the document take no position regarding the validity or scope of such) A
0 -170.8 M
(patents, and other patents as well. ) S
0 -181.8 M
[/View [/XYZ -4 575.2 null] /Dest /97 /DEST pdfmark
0 -181.8 M
[/View [/XYZ -4 575.2 null] /Dest /98 /DEST pdfmark
0 -200.8 M
15 2 Nf
(16.) S
[/View [/XYZ -4 574.2 null] /Dest /191 /DEST pdfmark
( ) S
(References) S
0 -208.3 M
[/View [/XYZ -4 548.7 null] /Dest /99 /DEST pdfmark
0 -226.8 M
13 2 Nf
(16.1.) S
[/View [/XYZ -4 545.800049 null] /Dest /192 /DEST pdfmark
( Normative ) S
(References) S
8 -243.1 M
0.989260316 0.989260316 scale
-0.0 -11.0 RM
11 0 Nf
([FIPS.180-2.2002]) S
[/View [/XYZ -4 842 null] /Dest /100 /DEST pdfmark
1.01085627 1.01085627 scale
105.6 -254.1 M
(National Institute of Standards and Technology, ) S
(\233) S
gsave
newpath
324.6 -255.2 M
58.0234375 0 RL
stroke
grestore
(Secure Hash ) S
gsave
newpath
382.6 -255.2 M
39.09375 0 RL
stroke
grestore
(Standard) S
[/Rect [323.590759 -256.849976 422.707947 -244.749985] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf)] Cd /ANN pdfmark
(,\234) S
105.6 -267.3 M
(FIPS\240PUB 180-2, ) S
(August\2402002.) S
8 -278.1 M
0.989260316 0.989260316 scale
-0.0 -11.0 RM
([FIPS.186-3.2009]) S
[/View [/XYZ -4 842 null] /Dest /101 /DEST pdfmark
1.01085627 1.01085627 scale
105.6 -289.1 M
(National Institute of Standards and Technology, ) S
(\233) S
gsave
newpath
324.6 -290.1 M
75.4414062 0 RL
stroke
grestore
(Digital Signature) S
[/Rect [323.590759 -291.8 401.032166 -279.699982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://csrc.nist.gov/publications/fips/fips186-3/fips186-3.pdf)] Cd /ANN pdfmark
105.6 -302.3 M
gsave
newpath
105.6 -303.4 M
41.84375 0 RL
stroke
grestore
(Standard ) S
gsave
newpath
147.4 -303.4 M
27.4882812 0 RL
stroke
grestore
(\(DSS\)) S
[/Rect [104.59465 -305.0 175.926682 -292.9] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://csrc.nist.gov/publications/fips/fips186-3/fips186-3.pdf)] Cd /ANN pdfmark
(,\234 FIPS\240PUB 186-3, ) S
(June\2402009.) S
8 -324 M
([RFC2119]) S
[/View [/XYZ -4 842 null] /Dest /102 /DEST pdfmark
105.6 -324 M
gsave
newpath
105.6 -325.1 M
40.921875 0 RL
stroke
grestore
(Bradner, ) S
gsave
newpath
146.5 -325.1 M
8.86328125 0 RL
stroke
grestore
(S.) S
(, ) S
(\233) S
gsave
newpath
165.8 -325.1 M
231.832031 0 RL
stroke
grestore
(Key words for use in RFCs to Indicate Requirement ) S
gsave
newpath
397.6 -325.1 M
29.3164062 0 RL
stroke
grestore
(Levels) S
[/Rect [164.762619 -326.75 427.911072 -314.65] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2119)] Cd /ANN pdfmark
(,\234) S
105.6 -337.2 M
(BCP\24014, RFC\2402119, March\2401997 ) S
(\() S
gsave
newpath
256.5 -338.3 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [255.528259 -339.95 278.907166 -327.85] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2119.txt)] Cd /ANN pdfmark
(, ) S
gsave
newpath
283.4 -338.3 M
31.15625 0 RL
stroke
grestore
(HTML) S
[/Rect [282.407166 -339.95 315.563416 -327.85] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/html/rfc2119.html)] Cd /ANN pdfmark
(, ) S
gsave
newpath
320.1 -338.3 M
24.4375 0 RL
stroke
grestore
(XML) S
[/Rect [319.063416 -339.95 345.500916 -327.85] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/xml/rfc2119.xml)] Cd /ANN pdfmark
(\).) S
8 -358.9 M
([RFC2818]) S
[/View [/XYZ -4 842 null] /Dest /103 /DEST pdfmark
105.6 -358.9 M
(Rescorla, E., ) S
(\233) S
gsave
newpath
169.4 -360.1 M
54.9765625 0 RL
stroke
grestore
(HTTP Over ) S
gsave
newpath
224.4 -360.1 M
19.5507812 0 RL
stroke
grestore
(TLS) S
[/Rect [168.422775 -361.7 244.950119 -349.6] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2818)] Cd /ANN pdfmark
(,\234 RFC\2402818, May\2402000 ) S
(\() S
gsave
newpath
356.7 -360.1 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [355.688416 -361.7 379.067322 -349.6] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2818.txt)] Cd /ANN pdfmark
(\).) S
8 -380.7 M
([RFC3526]) S
[/View [/XYZ -4 842 null] /Dest /104 /DEST pdfmark
105.6 -380.7 M
(Kivinen, T. and M. Kojo, ) S
(\233) S
gsave
newpath
225 -381.8 M
162.1875 0 RL
stroke
grestore
(More Modular Exponential \(MODP\)) S
[/Rect [224.036057 -383.45 388.223572 -371.35] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc3526)] Cd /ANN pdfmark
105.6 -393.9 M
gsave
newpath
105.6 -395 M
222.929688 0 RL
stroke
grestore
(Diffie-Hellman groups for Internet Key Exchange ) S
gsave
newpath
328.5 -395 M
25.640625 0 RL
stroke
grestore
(\(IKE\)) S
[/Rect [104.59465 -396.650024 355.164978 -384.550018] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc3526)] Cd /ANN pdfmark
(,\234 RFC\2403526,) S
105.6 -407.1 M
(May\2402003 ) S
(\() S
gsave
newpath
156.9 -408.2 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [155.914963 -409.850037 179.293869 -397.750031] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc3526.txt)] Cd /ANN pdfmark
(\).) S
8 -428.8 M
([RFC3629]) S
[/View [/XYZ -4 842 null] /Dest /105 /DEST pdfmark
105.6 -428.8 M
(Yergeau, F., ) S
(\233) S
gsave
newpath
167.6 -429.9 M
174.996094 0 RL
stroke
grestore
(UTF-8, a transformation format of ISO ) S
gsave
newpath
342.6 -429.9 M
27.5 0 RL
stroke
grestore
(10646) S
[/Rect [166.590744 -431.599976 371.086853 -419.499969] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc3629)] Cd /ANN pdfmark
(,\234 STD\24063,) S
105.6 -442 M
(RFC\2403629, November\2402003 ) S
(\() S
gsave
newpath
234.2 -443.1 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [233.211838 -444.8 256.590759 -432.699982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc3629.txt)] Cd /ANN pdfmark
(\).) S
8 -463.8 M
([RFC4648]) S
[/View [/XYZ -4 842 null] /Dest /106 /DEST pdfmark
105.6 -463.8 M
(Josefsson, S., ) S
(\233) S
gsave
newpath
172.5 -464.9 M
172.882812 0 RL
stroke
grestore
(The Base16, Base32, and Base64 Data ) S
gsave
newpath
345.4 -464.9 M
46.4335938 0 RL
stroke
grestore
(Encodings) S
[/Rect [171.493088 -466.55 392.809509 -454.449982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc4648)] Cd /ANN pdfmark
(,\234) S
105.6 -477 M
(RFC\2404648, October\2402006 ) S
(\() S
gsave
newpath
223.2 -478.1 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [222.211838 -479.75 245.590744 -467.65] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc4648.txt)] Cd /ANN pdfmark
(\).) S
8 -498.8 M
([RFC5234]) S
[/View [/XYZ -4 842 null] /Dest /107 /DEST pdfmark
105.6 -498.8 M
(Crocker, D. and P. Overell, ) S
(\233) S
gsave
newpath
233.6 -499.9 M
195.183594 0 RL
stroke
grestore
(Augmented BNF for Syntax Specifications: ) S
[/Rect [232.5634 -501.5 429.747 -489.4] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5234)] Cd /ANN pdfmark
105.6 -512 M
gsave
newpath
105.6 -513 M
29.3320312 0 RL
stroke
grestore
(ABNF) S
[/Rect [104.59465 -514.7 135.926682 -502.6] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5234)] Cd /ANN pdfmark
(,\234 STD\24068, RFC\2405234, January\2402008 ) S
(\() S
gsave
newpath
301.7 -513 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [300.731384 -514.7 324.110291 -502.6] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5234.txt)] Cd /ANN pdfmark
(\).) S
8 -533.7 M
([RFC5246]) S
[/View [/XYZ -4 842 null] /Dest /108 /DEST pdfmark
105.6 -533.7 M
(Dierks, T. and E. Rescorla, ) S
(\233) S
gsave
newpath
232.3 -534.8 M
200.035156 0 RL
stroke
grestore
(The Transport Layer Security \(TLS\) Protocol) S
[/Rect [231.340744 -536.45 433.375916 -524.350037] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5246)] Cd /ANN pdfmark
105.6 -546.9 M
gsave
newpath
105.6 -548 M
37.5664062 0 RL
stroke
grestore
(Version ) S
gsave
newpath
143.2 -548 M
13.75 0 RL
stroke
grestore
(1.2) S
[/Rect [104.59465 -549.65 157.911057 -537.550049] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5246)] Cd /ANN pdfmark
(,\234 RFC\2405246, August\2402008 ) S
(\() S
gsave
newpath
281.3 -548 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [280.262634 -549.65 303.641541 -537.550049] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5246.txt)] Cd /ANN pdfmark
(\).) S
0 -566.6 M
[/View [/XYZ -4 190.349976 null] /Dest /109 /DEST pdfmark
0 -582.2 M
13 2 Nf
(16.2.) S
[/View [/XYZ -4 190.349976 null] /Dest /193 /DEST pdfmark
( Informative ) S
(References) S
8 -598.5 M
0.989316 0.989316 scale
-0.0 -11.0 RM
11 0 Nf
([ISO.10646-1.1993]) S
[/View [/XYZ -4 842 null] /Dest /110 /DEST pdfmark
1.01079941 1.01079941 scale
112.2 -609.5 M
(International Organization for Standardization, \233Information Technology -) S
112.2 -622.8 M
(Universal Multiple-octet coded Character Set \(UCS\) - Part 1: Architecture) S
112.2 -636 M
(and Basic Multilingual Plane,\234 ISO\240Standard 10646-1, ) S
(May\2401993.) S
112.2 -636 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 30 -) S
0 setgray
224.5 -8 M
grestore
pgsave restore N
%%Page: 31 31
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
8 -2 M
0.989316 0.989316 scale
-0.0 -11.0 RM
%%IncludeResource: font Times-Roman
11 0 Nf
([ISO.11770-4.2006]) S
[/View [/XYZ -4 842 null] /Dest /111 /DEST pdfmark
1.01079941 1.01079941 scale
112.2 -13 M
(International Organization for Standardization, \233Information technology \235) S
112.2 -26.2 M
(Security techniques \235 Key management \235 Part 4: Mechanisms based on) S
112.2 -39.4 M
(weak secrets,\234 ISO\240Standard 11770-4, ) S
(May\2402006.) S
8 -61.1 M
([ITU.X690.1994]) S
[/View [/XYZ -4 842 null] /Dest /112 /DEST pdfmark
112.2 -61.1 M
(International Telecommunications Union, \233Information Technology -) S
112.2 -74.4 M
(ASN.1 encoding rules: Specification of Basic Encoding Rules \(BER\),) S
112.2 -87.6 M
(Canonical Encoding Rules \(CER\) and Distinguished Encoding Rules) S
112.2 -100.8 M
(\(DER\),\234 ITU-T\240Recommendation X.690, ) S
(1994.) S
8 -122.5 M
([RFC2616]) S
[/View [/XYZ -4 842 null] /Dest /113 /DEST pdfmark
112.2 -122.5 M
gsave
newpath
112.2 -123.6 M
42.1601562 0 RL
stroke
grestore
(Fielding, ) S
gsave
newpath
154.4 -123.6 M
10.0859375 0 RL
stroke
grestore
(R.) S
(, ) S
gsave
newpath
170 -123.6 M
34.2109375 0 RL
stroke
grestore
(Gettys, ) S
gsave
newpath
204.2 -123.6 M
7.02734375 0 RL
stroke
grestore
(J.) S
(, ) S
gsave
newpath
216.7 -123.6 M
34.8320312 0 RL
stroke
grestore
(Mogul, ) S
gsave
newpath
251.6 -123.6 M
7.02734375 0 RL
stroke
grestore
(J.) S
(, ) S
gsave
newpath
264.1 -123.6 M
39.1054688 0 RL
stroke
grestore
(Frystyk, ) S
gsave
newpath
303.2 -123.6 M
10.6914062 0 RL
stroke
grestore
(H.) S
(, ) S
gsave
newpath
319.4 -123.6 M
44.5898438 0 RL
stroke
grestore
(Masinter, ) S
gsave
newpath
364 -123.6 M
9.46875 0 RL
stroke
grestore
(L.) S
(, ) S
gsave
newpath
378.9 -123.6 M
32.3671875 0 RL
stroke
grestore
(Leach, ) S
gsave
newpath
411.3 -123.6 M
8.86328125 0 RL
stroke
grestore
(P.) S
(,) S
112.2 -135.7 M
(and ) S
gsave
newpath
130.9 -136.8 M
12.21875 0 RL
stroke
grestore
(T. ) S
gsave
newpath
143.1 -136.8 M
54.34375 0 RL
stroke
grestore
(Berners-Lee) S
(, ) S
(\233) S
gsave
newpath
207.8 -136.8 M
136.804688 0 RL
stroke
grestore
(Hypertext Transfer Protocol -- ) S
gsave
newpath
344.6 -136.8 M
44.296875 0 RL
stroke
grestore
(HTTP/1.1) S
[/Rect [206.820465 -138.45 389.922028 -126.35] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2616)] Cd /ANN pdfmark
(,\234) S
112.2 -148.9 M
(RFC\2402616, June\2401999 ) S
(\() S
gsave
newpath
214.6 -150 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [213.597809 -151.65 236.976715 -139.549988] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2616.txt)] Cd /ANN pdfmark
(, ) S
gsave
newpath
241.5 -150 M
12.2265625 0 RL
stroke
grestore
(PS) S
[/Rect [240.476715 -151.65 254.703278 -139.549988] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2616.ps)] Cd /ANN pdfmark
(, ) S
gsave
newpath
259.2 -150 M
20.1679688 0 RL
stroke
grestore
(PDF) S
[/Rect [258.203278 -151.65 280.371246 -139.549988] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2616.pdf)] Cd /ANN pdfmark
(, ) S
gsave
newpath
284.9 -150 M
31.15625 0 RL
stroke
grestore
(HTML) S
[/Rect [283.871246 -151.65 317.027496 -139.549988] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/html/rfc2616.html)] Cd /ANN pdfmark
(, ) S
gsave
newpath
321.5 -150 M
24.4375 0 RL
stroke
grestore
(XML) S
[/Rect [320.527496 -151.65 346.965 -139.549988] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/xml/rfc2616.xml)] Cd /ANN pdfmark
(\).) S
8 -170.7 M
([RFC2617]) S
[/View [/XYZ -4 842 null] /Dest /114 /DEST pdfmark
112.2 -170.7 M
gsave
newpath
112.2 -171.8 M
35.4335938 0 RL
stroke
grestore
(Franks, ) S
gsave
newpath
147.7 -171.8 M
7.02734375 0 RL
stroke
grestore
(J.) S
(, ) S
gsave
newpath
160.2 -171.8 M
67.7929688 0 RL
stroke
grestore
(Hallam-Baker, ) S
gsave
newpath
228 -171.8 M
8.86328125 0 RL
stroke
grestore
(P.) S
(, ) S
gsave
newpath
242.4 -171.8 M
45.8085938 0 RL
stroke
grestore
(Hostetler, ) S
gsave
newpath
288.2 -171.8 M
7.02734375 0 RL
stroke
grestore
(J.) S
(, ) S
gsave
newpath
300.7 -171.8 M
48.8515625 0 RL
stroke
grestore
(Lawrence, ) S
gsave
newpath
349.5 -171.8 M
8.86328125 0 RL
stroke
grestore
(S.) S
(, ) S
gsave
newpath
363.9 -171.8 M
32.3671875 0 RL
stroke
grestore
(Leach, ) S
gsave
newpath
396.3 -171.8 M
8.86328125 0 RL
stroke
grestore
(P.) S
(,) S
112.2 -183.9 M
(Luotonen, A., and ) S
gsave
newpath
194.7 -184.9 M
12.21875 0 RL
stroke
grestore
(L. ) S
gsave
newpath
206.9 -184.9 M
33.5898438 0 RL
stroke
grestore
(Stewart) S
(, ) S
(\233) S
gsave
newpath
250.9 -184.9 M
175.9375 0 RL
stroke
grestore
(HTTP Authentication: Basic and Digest) S
[/Rect [249.914215 -186.599991 427.851715 -174.499985] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2617)] Cd /ANN pdfmark
112.2 -197 M
gsave
newpath
112.2 -198.2 M
33.8945312 0 RL
stroke
grestore
(Access ) S
gsave
newpath
146.1 -198.2 M
65.3632812 0 RL
stroke
grestore
(Authentication) S
[/Rect [111.242348 -199.799988 212.500153 -187.699982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2617)] Cd /ANN pdfmark
(,\234 RFC\2402617, June\2401999 ) S
(\() S
gsave
newpath
324.2 -198.2 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [323.238434 -199.799988 346.61734 -187.699982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2617.txt)] Cd /ANN pdfmark
(, ) S
gsave
newpath
351.1 -198.2 M
31.15625 0 RL
stroke
grestore
(HTML) S
[/Rect [350.11734 -199.799988 383.27359 -187.699982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/html/rfc2617.html)] Cd /ANN pdfmark
(, ) S
gsave
newpath
387.8 -198.2 M
24.4375 0 RL
stroke
grestore
(XML) S
[/Rect [386.77359 -199.799988 413.21109 -187.699982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/xml/rfc2617.xml)] Cd /ANN pdfmark
(\).) S
8 -218.8 M
([RFC2965]) S
[/View [/XYZ -4 842 null] /Dest /115 /DEST pdfmark
112.2 -218.8 M
gsave
newpath
112.2 -219.9 M
36.0429688 0 RL
stroke
grestore
(Kristol, ) S
gsave
newpath
148.3 -219.9 M
10.6914062 0 RL
stroke
grestore
(D.) S
( and ) S
gsave
newpath
180.4 -219.9 M
12.21875 0 RL
stroke
grestore
(L. ) S
gsave
newpath
192.6 -219.9 M
38.4960938 0 RL
stroke
grestore
(Montulli) S
(, ) S
(\233) S
gsave
newpath
241.5 -219.9 M
115.148438 0 RL
stroke
grestore
(HTTP State Management ) S
gsave
newpath
356.6 -219.9 M
51.3125 0 RL
stroke
grestore
(Mechanism) S
[/Rect [240.457184 -221.549988 408.918121 -209.449982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2965)] Cd /ANN pdfmark
(,\234) S
112.2 -232 M
(RFC\2402965, October\2402000 ) S
(\() S
gsave
newpath
229.9 -233.1 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [228.859528 -234.749985 252.238434 -222.649979] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2965.txt)] Cd /ANN pdfmark
(, ) S
gsave
newpath
256.7 -233.1 M
31.15625 0 RL
stroke
grestore
(HTML) S
[/Rect [255.738434 -234.749985 288.894684 -222.649979] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/html/rfc2965.html)] Cd /ANN pdfmark
(, ) S
gsave
newpath
293.4 -233.1 M
24.4375 0 RL
stroke
grestore
(XML) S
[/Rect [292.394684 -234.749985 318.832184 -222.649979] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/xml/rfc2965.xml)] Cd /ANN pdfmark
(\).) S
8 -253.7 M
([RFC5226]) S
[/View [/XYZ -4 842 null] /Dest /116 /DEST pdfmark
112.2 -253.7 M
(Narten, T. and H. Alvestrand, ) S
(\233) S
gsave
newpath
250.6 -254.8 M
143.542969 0 RL
stroke
grestore
(Guidelines for Writing an IANA) S
[/Rect [249.593903 -256.5 395.136871 -244.399979] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5226)] Cd /ANN pdfmark
112.2 -266.9 M
gsave
newpath
112.2 -268.1 M
115.773438 0 RL
stroke
grestore
(Considerations Section in ) S
gsave
newpath
228 -268.1 M
25.0625 0 RL
stroke
grestore
(RFCs) S
[/Rect [111.242348 -269.699982 254.078278 -257.599976] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5226)] Cd /ANN pdfmark
(,\234 BCP\24026, RFC\2405226, May\2402008 ) S
(\() S
gsave
newpath
405.9 -268.1 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [404.851715 -269.699982 428.230621 -257.599976] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5226.txt)] Cd /ANN pdfmark
(\).) S
8 -288.7 M
([RFC5280]) S
[/View [/XYZ -4 842 null] /Dest /117 /DEST pdfmark
112.2 -288.7 M
(Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W.) S
112.2 -301.9 M
(Polk, ) S
(\233) S
gsave
newpath
142.8 -303 M
295.597656 0 RL
stroke
grestore
(Internet X.509 Public Key Infrastructure Certificate and Certificate) S
[/Rect [141.793121 -304.65 439.390778 -292.55] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5280)] Cd /ANN pdfmark
112.2 -315.1 M
gsave
newpath
112.2 -316.2 M
104.160156 0 RL
stroke
grestore
(Revocation List \(CRL\) ) S
gsave
newpath
216.4 -316.2 M
29.9257812 0 RL
stroke
grestore
(Profile) S
[/Rect [111.242348 -317.85 247.328278 -305.75] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5280)] Cd /ANN pdfmark
(,\234 RFC\2405280, May\2402008 ) S
(\() S
gsave
newpath
359.1 -316.2 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [358.066559 -317.85 381.445465 -305.75] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5280.txt)] Cd /ANN pdfmark
(\).) S
8 -336.8 M
([RFC5890]) S
[/View [/XYZ -4 842 null] /Dest /118 /DEST pdfmark
112.2 -336.8 M
(Klensin, J., ) S
(\233) S
gsave
newpath
169.4 -337.9 M
261.113281 0 RL
stroke
grestore
(Internationalized Domain Names for Applications \(IDNA\):) S
[/Rect [168.363434 -339.599976 431.476715 -327.499969] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5890)] Cd /ANN pdfmark
112.2 -350 M
gsave
newpath
112.2 -351.1 M
119.429688 0 RL
stroke
grestore
(Definitions and Document ) S
gsave
newpath
231.7 -351.1 M
50.6953125 0 RL
stroke
grestore
(Framework) S
[/Rect [111.242348 -352.8 283.36734 -340.699982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5890)] Cd /ANN pdfmark
(,\234 RFC\2405890, August\2402010 ) S
(\() S
gsave
newpath
406.7 -351.1 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [405.718903 -352.8 429.097809 -340.699982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5890.txt)] Cd /ANN pdfmark
(\).) S
8 -371.8 M
([RFC5929]) S
[/View [/XYZ -4 842 null] /Dest /119 /DEST pdfmark
112.2 -371.8 M
(Altman, J., Williams, N., and L. Zhu, ) S
(\233) S
gsave
newpath
284.2 -372.9 M
97.4492188 0 RL
stroke
grestore
(Channel Bindings for ) S
gsave
newpath
381.7 -372.9 M
19.5507812 0 RL
stroke
grestore
(TLS) S
[/Rect [283.218903 -374.55 402.218903 -362.449982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5929)] Cd /ANN pdfmark
(,\234) S
112.2 -385 M
(RFC\2405929, July\2402010 ) S
(\() S
gsave
newpath
212.8 -386.1 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [211.769684 -387.75 235.14859 -375.65] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5929.txt)] Cd /ANN pdfmark
(\).) S
0 -404.8 M
[/View [/XYZ -4 352.25 null] /Dest /120 /DEST pdfmark
0 -404.8 M
[/View [/XYZ -4 352.25 null] /Dest /121 /DEST pdfmark
0 -423.8 M
%%IncludeResource: font Times-Bold
15 2 Nf
(Appendix) S
[/View [/XYZ -4 351.25 null] /Dest /194 /DEST pdfmark
( A. \(Informative\) Generic syntax of ) S
(headers) S
0 -448 M
11 0 Nf
1.48203123 0 32 0 0 (Several headers \(e.g. WWW-Authenticate: headers in 401-B0, 401-B0-stale, and 401-B1 messages\)) A
0 -461.2 M
1.53794646 0 32 0 0 (shares common header names. To parse these headers, one MAY use the following general syntax) A
0 -474.4 M
(definition of the message syntax: ) S
0 -485.4 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -496.4 M
[/View [/XYZ -4 260.649963 null] /Dest /122 /DEST pdfmark
0 -507.2 M
%%IncludeResource: font Courier
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(header) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(header-name) S
9.0 4 Nf
( ":" [) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(] ) S
9.0 5 Nf
(auth-scheme) S
0 -518 M
9.0 4 Nf
( ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(fields) S
0 -528.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(header-name) S
9.0 4 Nf
( = "WWW-Authenticate" / "Optional-WWW-Authenticate") S
0 -539.5 M
( / "Authorization" / "Authentication-info") S
0 -550.3 M
( / "Authentication-Control") S
0 -561.1 M
9.0 4 Nf
( ) S
9.0 5 Nf
(auth-scheme) S
9.0 4 Nf
( = "Mutual" ) S
9.0 5 Nf
(; see HTTP for other values) S
0 -571.9 M
9.0 4 Nf
( ) S
9.0 5 Nf
(fields) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(field) S
9.0 4 Nf
( *\([) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
(] "," ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( ) S
9.0 5 Nf
(field) S
9.0 4 Nf
(\)) S
0 -582.7 M
9.0 4 Nf
( ) S
9.0 5 Nf
(field) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(key) S
9.0 4 Nf
( "=" ) S
9.0 5 Nf
(value) S
9.0 4 Nf
( ) S
9.0 5 Nf
(; either a specific or) S
0 -593.5 M
9.0 4 Nf
( ) S
9.0 5 Nf
(; an extension field) S
0 -604.3 M
9.0 4 Nf
( ) S
9.0 5 Nf
(key) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(extensive-token) S
0 -615.1 M
9.0 4 Nf
( ) S
9.0 5 Nf
(token) S
9.0 4 Nf
( = 1*\(%x30-39 / %x41-5A / %x61-7A / "-" / "_"\)) S
0 -625.9 M
9.0 4 Nf
( ) S
9.0 5 Nf
(extensive-token) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(token) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(extension-token) S
0 -636.7 M
9.0 4 Nf
( ) S
9.0 5 Nf
(extension-token) S
9.0 4 Nf
( = "-" ) S
9.0 5 Nf
(token) S
9.0 4 Nf
( 1*\("." ) S
9.0 5 Nf
(token) S
9.0 4 Nf
(\)) S
0 -647.5 M
9.0 4 Nf
( ) S
9.0 5 Nf
(value) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(extensive-token) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(integer) S
0 -658.3 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(hex-fixed-number) S
0 -669.1 M
9.0 4 Nf
( / ) S
9.0 5 Nf
(base64-fixed-number) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(string) S
0 -669.1 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 31 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 32 32
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -10.8 M
%%IncludeResource: font Courier
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(integer) S
9.0 4 Nf
( = "0" / \(%x31-39 *%x30-39\) ) S
9.0 5 Nf
(; no leading zeros) S
0 -21.6 M
9.0 4 Nf
( ) S
9.0 5 Nf
(hex-fixed-number) S
9.0 4 Nf
( = 1*\(%x30-39 / %x41-46 / %x61-66\)) S
0 -32.4 M
9.0 4 Nf
( ) S
9.0 5 Nf
(base64-fixed-number) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(string) S
0 -43.2 M
9.0 4 Nf
( ) S
9.0 5 Nf
(string) S
9.0 4 Nf
( = %x22 *\(%x20-21 / %x23-5B / %x5D-FF) S
0 -54 M
( / %x5C.22 / "\\\\"\) %x22) S
0 -64.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(spaces) S
9.0 4 Nf
( = 1*\(" " / %x09\)) S
116.9 -87.7 M
%%IncludeResource: font Times-Bold
7.63889 2 Nf
(\240Figure\24012: the common BNF syntax for the headers in the ) S
(protocol\240) S
0 -101.6 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -125.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
4.20286465 0 32 0 0 (In this way of parsing, messages will be distinguished by the fields contained in a header) A
0 -139 M
1.60877407 0 32 0 0 (corresponding to the authentication. The procedure below determines the kind of a message which) A
0 -152.2 M
(each HTTP request/response belongs to. ) S
11 -172.8 M
gsave
0 setgray
newpath
11.0 -172.818619 2.75 0 360 arc
closepath
fill
grestore
22 -176.4 M
(If the message is a response with a "401" status: ) S
33 -187 M
gsave
0 setgray
newpath
33.0 -187.018616 2.75 0 360 arc
closepath
stroke
grestore
44 -190.6 M
(If it does not contain any WWW-Authenticate header, it is an error. ) S
33 -201.2 M
gsave
0 setgray
newpath
33.0 -201.218613 2.75 0 360 arc
closepath
stroke
grestore
44 -204.8 M
1.71905053 0 32 0 0 (If the WWW-Authenticate header specifies a scheme other than "Mutual", it is a normal) A
44 -218 M
(response in this draft's scope. ) S
33 -228.6 M
gsave
0 setgray
newpath
33.0 -228.618607 2.75 0 360 arc
closepath
stroke
grestore
44 -232.2 M
2.41835928 0 32 0 0 (Otherwise, the response contains a "WWW-Authenticate: Mutual" header. If the header) A
44 -245.4 M
(contains both sid and stale fields, it is an error. ) S
33 -256 M
gsave
0 setgray
newpath
33.0 -256.018585 2.75 0 360 arc
closepath
stroke
grestore
44 -259.6 M
(If the header contains a stale field with a value of 0, it is a 401-B0 message. ) S
33 -270.2 M
gsave
0 setgray
newpath
33.0 -270.218597 2.75 0 360 arc
closepath
stroke
grestore
44 -273.8 M
(If the header contains a stale field with a value of 1, it is a 401-B0-stale message. ) S
33 -284.4 M
gsave
0 setgray
newpath
33.0 -284.41861 2.75 0 360 arc
closepath
stroke
grestore
44 -288 M
(If the header contains an sid field, it is a 401-B1 ) S
(message.) S
11 -298.6 M
gsave
0 setgray
newpath
11.0 -298.618622 2.75 0 360 arc
closepath
fill
grestore
22 -302.2 M
(If the message is a response other than a "401" status: ) S
33 -312.8 M
gsave
0 setgray
newpath
33.0 -312.818634 2.75 0 360 arc
closepath
stroke
grestore
44 -316.4 M
1.6328125 0 32 0 0 (If it contains both Authentication-Info and Optional-WWW-Authenticate headers, it is an) A
44 -329.6 M
(error. ) S
33 -340.2 M
gsave
0 setgray
newpath
33.0 -340.218658 2.75 0 360 arc
closepath
stroke
grestore
44 -343.8 M
(If it contains a Authentication-Info header with a scheme "Mutual", it is a 200-B4 message. ) S
33 -354.4 M
gsave
0 setgray
newpath
33.0 -354.418671 2.75 0 360 arc
closepath
stroke
grestore
44 -358 M
4.362216 0 32 0 0 (If it contains a Optional-WWW-Authenticate header with "Mutual" scheme, it is a) A
44 -371.2 M
(200-Optional-B0 message. ) S
33 -381.8 M
gsave
0 setgray
newpath
33.0 -381.818695 2.75 0 360 arc
closepath
stroke
grestore
44 -385.4 M
0.0730168298 0 32 0 0 (If it contains a Optional-WWW-Authenticate header with a scheme other than "Mutual", it is) A
44 -398.6 M
(either an error or a normal response, and the behavior is not defined in this specification. ) S
33 -409.2 M
gsave
0 setgray
newpath
33.0 -409.218719 2.75 0 360 arc
closepath
stroke
grestore
44 -412.8 M
(Otherwise, it is a normal ) S
(response.) S
11 -423.4 M
gsave
0 setgray
newpath
11.0 -423.418732 2.75 0 360 arc
closepath
fill
grestore
22 -427 M
(If the message is a request: ) S
33 -437.6 M
gsave
0 setgray
newpath
33.0 -437.618744 2.75 0 360 arc
closepath
stroke
grestore
44 -441.2 M
0.538020849 0 32 0 0 (If it does not contain an Authorization header, or it contains an Authorization header with a) A
44 -454.4 M
(scheme other than Mutual, it is a normal request. ) S
33 -465 M
gsave
0 setgray
newpath
33.0 -465.018768 2.75 0 360 arc
closepath
stroke
grestore
44 -468.6 M
0.690429688 0 32 0 0 (Otherwise, the request contains a "Authorization: Mutual" header. If the header contains an) A
44 -481.8 M
(sid field, it is a req-A3 message. ) S
33 -492.4 M
gsave
0 setgray
newpath
33.0 -492.418793 2.75 0 360 arc
closepath
stroke
grestore
44 -496 M
(If the header do not contain an sid field, it is a req-A1 ) S
(message.) S
0 -520.2 M
0.650065124 0 32 0 0 (Implementations MAY perform checks stricter than the procedure above, according to the definitions) A
0 -533.4 M
(in ) S
gsave
newpath
11.3 -534.5 M
41.2382812 0 RL
stroke
grestore
(Section\2403) S
[/Rect [10.3046875 -536.198792 53.5429688 -524.098816] /Subtype /Link /Border [0 0 0] /Dest /18 /ANN pdfmark
(. ) S
0 -544.4 M
[/View [/XYZ -4 212.551208 null] /Dest /123 /DEST pdfmark
0 -544.4 M
[/View [/XYZ -4 212.551208 null] /Dest /124 /DEST pdfmark
0 -563.4 M
15 2 Nf
(Appendix) S
[/View [/XYZ -4 211.551208 null] /Dest /195 /DEST pdfmark
( B. \(Informative\) Group parameters for discrete-logarithm) S
0 -581.4 M
(based ) S
(algorithms) S
0 -605.6 M
11 0 Nf
3.01204419 0 32 0 0 (The MODP group used for the iso-kam3-dl-2048-sha256 algorithm is defined by the following ) A
0 -618.8 M
(parameters.) S
0 -629.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 32 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 33 33
%%PageResources: font Times-Roman Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The prime ) S
(is:) S
0 -35 M
%%IncludeResource: font Courier
9.0 4 Nf
( q = 0xFFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1) S
0 -45.8 M
( 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD) S
0 -56.6 M
( EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245) S
0 -67.4 M
( E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED) S
0 -78.2 M
( EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D) S
0 -89 M
( C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F) S
0 -99.8 M
( 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D) S
0 -110.6 M
( 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B) S
0 -121.4 M
( E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9) S
0 -132.2 M
( DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510) S
0 -143 M
( 15728E5A 8AACAA68 FFFFFFFF FFFFFFFF.) S
0 -167.2 M
11 0 Nf
(The generator ) S
(is:) S
0 -189 M
9.0 4 Nf
( g = 2.) S
0 -213.2 M
11 0 Nf
(The size of the subgroup generated by g ) S
(is:) S
0 -235 M
9.0 4 Nf
( r = \(q - 1\) / 2 =) S
0 -245.8 M
( 0x7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68) S
0 -256.6 M
( 94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E) S
0 -267.4 M
( F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122) S
0 -278.2 M
( F242DABB 312F3F63 7A262174 D31BF6B5 85FFAE5B 7A035BF6) S
0 -289 M
( F71C35FD AD44CFD2 D74F9208 BE258FF3 24943328 F6722D9E) S
0 -299.8 M
( E1003E5C 50B1DF82 CC6D241B 0E2AE9CD 348B1FD4 7E9267AF) S
0 -310.6 M
( C1B2AE91 EE51D6CB 0E3179AB 1042A95D CF6A9483 B84B4B36) S
0 -321.4 M
( B3861AA7 255E4C02 78BA3604 650C10BE 19482F23 171B671D) S
0 -332.2 M
( F1CF3B96 0C074301 CD93C1D1 7603D147 DAE2AEF8 37A62964) S
0 -343 M
( EF15E5FB 4AAC0B8C 1CCAA4BE 754AB572 8AE9130C 4C7D0288) S
0 -353.8 M
( 0AB9472D 45565534 7FFFFFFF FFFFFFFF.) S
0 -378 M
11 0 Nf
3.01204419 0 32 0 0 (The MODP group used for the iso-kam3-dl-4096-sha512 algorithm is defined by the following ) A
0 -391.2 M
(parameters.) S
0 -415.4 M
(The prime ) S
(is:) S
0 -437.2 M
9.0 4 Nf
( q = 0xFFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1) S
0 -448 M
( 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD) S
0 -458.8 M
( EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245) S
0 -469.6 M
( E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED) S
0 -480.4 M
( EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D) S
0 -491.2 M
( C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F) S
0 -502 M
( 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D) S
0 -512.8 M
( 670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B) S
0 -523.6 M
( E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9) S
0 -534.4 M
( DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510) S
0 -545.2 M
( 15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64) S
0 -556 M
( ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7) S
0 -566.8 M
( ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B) S
0 -577.6 M
( F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C) S
0 -588.4 M
( BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31) S
0 -599.2 M
( 43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7) S
0 -610 M
( 88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA) S
0 -620.8 M
( 2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6) S
0 -631.6 M
( 287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED) S
0 -642.4 M
( 1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9) S
0 -653.2 M
( 93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199) S
0 -664 M
( FFFFFFFF FFFFFFFF.) S
0 -673 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 33 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 34 34
%%PageResources: font Times-Roman Times-Bold Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The generator ) S
(is:) S
0 -35 M
%%IncludeResource: font Courier
9.0 4 Nf
( g = 2.) S
0 -59.2 M
11 0 Nf
(The size of the subgroup generated by g ) S
(is:) S
0 -81 M
9.0 4 Nf
( r = \(q - 1\) / 2 =) S
0 -91.8 M
( 0x7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68) S
0 -102.6 M
( 94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E) S
0 -113.4 M
( F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122) S
0 -124.2 M
( F242DABB 312F3F63 7A262174 D31BF6B5 85FFAE5B 7A035BF6) S
0 -135 M
( F71C35FD AD44CFD2 D74F9208 BE258FF3 24943328 F6722D9E) S
0 -145.8 M
( E1003E5C 50B1DF82 CC6D241B 0E2AE9CD 348B1FD4 7E9267AF) S
0 -156.6 M
( C1B2AE91 EE51D6CB 0E3179AB 1042A95D CF6A9483 B84B4B36) S
0 -167.4 M
( B3861AA7 255E4C02 78BA3604 650C10BE 19482F23 171B671D) S
0 -178.2 M
( F1CF3B96 0C074301 CD93C1D1 7603D147 DAE2AEF8 37A62964) S
0 -189 M
( EF15E5FB 4AAC0B8C 1CCAA4BE 754AB572 8AE9130C 4C7D0288) S
0 -199.8 M
( 0AB9472D 45556216 D6998B86 82283D19 D42A90D5 EF8E5D32) S
0 -210.6 M
( 767DC282 2C6DF785 457538AB AE83063E D9CB87C2 D370F263) S
0 -221.4 M
( D5FAD746 6D8499EB 8F464A70 2512B0CE E771E913 0D697735) S
0 -232.2 M
( F897FD03 6CC50432 6C3B0139 9F643532 290F958C 0BBD9006) S
0 -243 M
( 5DF08BAB BD30AEB6 3B84C460 5D6CA371 047127D0 3A72D598) S
0 -253.8 M
( A1EDADFE 707E8847 25C16890 54908400 8D391E09 53C3F36B) S
0 -264.6 M
( C438CD08 5EDD2D93 4CE1938C 357A711E 0D4A341A 5B0A85ED) S
0 -275.4 M
( 12C1F4E5 156A2674 6DDDE16D 826F477C 97477E0A 0FDF6553) S
0 -286.2 M
( 143E2CA3 A735E02E CCD94B27 D04861D1 119DD0C3 28ADF3F6) S
0 -297 M
( 8FB094B8 67716BD7 DC0DEEBB 10B8240E 68034893 EAD82D54) S
0 -307.8 M
( C9DA754C 46C7EEE0 C37FDBEE 48536047 A6FA1AE4 9A0318CC) S
0 -318.6 M
( FFFFFFFF FFFFFFFF.) S
0 -327.6 M
[/View [/XYZ -4 429.400024 null] /Dest /125 /DEST pdfmark
0 -327.6 M
[/View [/XYZ -4 429.400024 null] /Dest /126 /DEST pdfmark
0 -348.6 M
%%IncludeResource: font Times-Bold
15 2 Nf
(Appendix) S
[/View [/XYZ -4 426.400024 null] /Dest /196 /DEST pdfmark
( C. \(Informative\) Derived numerical ) S
(values) S
0 -372.8 M
11 0 Nf
1.37379813 0 32 0 0 (This section gives several numerical values for implementing this protocol, derived from the above) A
0 -386 M
(specifications. The values shown in this section are for informative purpose only. ) S
195.8 -414.3 M
11 2 Nf
(dl-2048) S
236.7 -414.3 M
11 2 Nf
(dl-4096) S
277.7 -414.3 M
11 2 Nf
(ec-p256) S
319.8 -414.3 M
11 2 Nf
(ec-p521) S
59 -434.1 M
11 0 Nf
(Size of w_A ) S
(etc.) S
195.8 -434.1 M
(2048) S
236.7 -434.1 M
(4096) S
277.7 -434.1 M
(257) S
319.8 -434.1 M
(522) S
361.9 -434.1 M
(\(bits\)) S
59 -453.8 M
(Size of ) S
(H\(...\)) S
195.8 -453.8 M
(256) S
236.7 -453.8 M
(512) S
277.7 -453.8 M
(256) S
319.8 -453.8 M
(512) S
361.9 -453.8 M
(\(bits\)) S
59 -473.6 M
(length of OCTETS\(w_A\) ) S
(etc.) S
195.8 -473.6 M
(256) S
236.7 -473.6 M
(512) S
277.7 -473.6 M
(33) S
319.8 -473.6 M
(66) S
361.9 -473.6 M
(\(octets\)) S
59 -493.3 M
(length of wa, wb field ) S
(values.) S
195.8 -493.3 M
(346 ) S
(*) S
236.7 -493.3 M
(686 ) S
(*) S
277.7 -493.3 M
(66) S
319.8 -493.3 M
(132) S
361.9 -493.3 M
(\(octets\)) S
59 -513 M
(length of oa, ob field ) S
(values.) S
195.8 -513 M
(46 ) S
(*) S
236.7 -513 M
(90 ) S
(*) S
277.7 -513 M
(64) S
319.8 -513 M
(128) S
361.9 -513 M
(\(octets\)) S
59 -532.8 M
(minimum allowed ) S
(s_A) S
195.8 -532.8 M
(2048) S
236.7 -532.8 M
(4096) S
277.7 -532.8 M
(1) S
319.8 -532.8 M
(1) S
361.9 -532.8 M
(\240) S
0 -562.8 M
11 0 Nf
(\(The numbers marked with * include enclosing quotation ) S
(marks.\)) S
0 -573.8 M
[/View [/XYZ -4 183.25 null] /Dest /127 /DEST pdfmark
0 -573.8 M
[/View [/XYZ -4 183.25 null] /Dest /128 /DEST pdfmark
0 -592.8 M
15 2 Nf
(Appendix) S
[/View [/XYZ -4 182.25 null] /Dest /197 /DEST pdfmark
( D. \(Informative\) Draft Remarks from the ) S
(Authors) S
0 -617 M
11 0 Nf
(The following items are currently under consideration for future revisions by the authors. ) S
11 -637.5 M
gsave
0 setgray
newpath
11.0 -637.52 2.75 0 360 arc
closepath
fill
grestore
22 -641.1 M
0.480168283 0 32 0 0 (Restructuring of the draft, possibly separating it to several parts, e.g. introduction, general HTTP) A
22 -654.4 M
(extensions and Mutual authentication. ) S
11 -664.9 M
gsave
0 setgray
newpath
11.0 -664.920044 2.75 0 360 arc
closepath
fill
grestore
22 -668.6 M
2.28053975 0 32 0 0 (Format of the "Authentication-Control" header and other header fields extending the general) A
22 -668.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 34 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 35 35
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(HTTP authentication scheme, and harmonization of those with other draft proposals. ) S
11 -23.8 M
gsave
0 setgray
newpath
11.0 -23.77 2.75 0 360 arc
closepath
fill
grestore
22 -27.4 M
11 0 Nf
(Whether to keep TLS-key validation or not. ) S
11 -38 M
gsave
0 setgray
newpath
11.0 -37.97 2.75 0 360 arc
closepath
fill
grestore
22 -41.6 M
0.371419281 0 32 0 0 (When keeping tls-key validation, whether to use ) A
gsave
newpath
240.2 -42.7 M
64.4811172 0 RL
stroke
grestore
0.371419281 0 32 0 0 ("TLS channel ) A
gsave
newpath
304.7 -42.7 M
38.09375 0 RL
stroke
grestore
0.371419281 0 32 0 0 (binding") A
[/Rect [239.234375 -44.3500023 343.808594 -32.25] /Subtype /Link /Border [0 0 0] /Dest /119 /ANN pdfmark
0.371419281 0 32 0 0 ( [RFC5929] for "tls-key") A
22 -54.8 M
2.64808249 0 32 0 0 (verification ) A
2.64808249 0 32 0 0 (\() A
gsave
newpath
81.7 -55.9 M
41.2382812 0 RL
stroke
grestore
2.64808249 0 32 0 0 (Section\2407) A
[/Rect [80.7421875 -57.5500031 123.980469 -45.4500046] /Subtype /Link /Border [0 0 0] /Dest /55 /ANN pdfmark
2.64808249 0 32 0 0 (\). Note that existing implementations of TLS should be considered to) A
22 -68 M
(determine this. ) S
11 -78.6 M
gsave
0 setgray
newpath
11.0 -78.57 2.75 0 360 arc
closepath
fill
grestore
22 -82.2 M
(Adding test vectors for ensuring implementation correctness. ) S
11 -92.8 M
gsave
0 setgray
newpath
11.0 -92.77 2.75 0 360 arc
closepath
fill
grestore
22 -96.4 M
0.00931490399 0 32 0 0 (Possibly adding a method for servers to detect availability of Mutual authentication on client-side. ) A
11 -107 M
gsave
0 setgray
newpath
11.0 -106.969994 2.75 0 360 arc
closepath
fill
grestore
22 -110.6 M
(Applying the protocol for proxy ) S
(authentication/authorization.) S
0 -121.6 M
[/View [/XYZ -4 635.4 null] /Dest /129 /DEST pdfmark
0 -121.6 M
[/View [/XYZ -4 635.4 null] /Dest /130 /DEST pdfmark
0 -140.6 M
%%IncludeResource: font Times-Bold
15 2 Nf
(Appendix) S
[/View [/XYZ -4 634.4 null] /Dest /198 /DEST pdfmark
( E. \(Informative\) Draft Change ) S
(Log) S
0 -148.1 M
[/View [/XYZ -4 608.9 null] /Dest /131 /DEST pdfmark
0 -148.1 M
[/View [/XYZ -4 608.9 null] /Dest /132 /DEST pdfmark
0 -170.6 M
15 2 Nf
(E.1.) S
[/View [/XYZ -4 604.4 null] /Dest /199 /DEST pdfmark
( Changes in revision ) S
(07) S
11 -191.2 M
gsave
0 setgray
newpath
11.0 -191.17 2.75 0 360 arc
closepath
fill
grestore
22 -194.8 M
11 0 Nf
(Adapt to httpbis HTTP/1.1 drafts: ) S
33 -205.4 M
gsave
0 setgray
newpath
33.0 -205.37 2.75 0 360 arc
closepath
stroke
grestore
44 -209 M
(Changed definition of extensive-token. ) S
33 -219.6 M
gsave
0 setgray
newpath
33.0 -219.569992 2.75 0 360 arc
closepath
stroke
grestore
44 -223.2 M
(LWSP continuation-line \(%0D.0A.20\) ) S
(deprecated.) S
11 -233.8 M
gsave
0 setgray
newpath
11.0 -233.769989 2.75 0 360 arc
closepath
fill
grestore
22 -237.4 M
0.514229894 0 32 0 0 (To simplify the whole spec, the type of nonce-counter related fields are change from hex-integer) A
22 -250.6 M
(to integer. ) S
11 -261.2 M
gsave
0 setgray
newpath
11.0 -261.169983 2.75 0 360 arc
closepath
fill
grestore
22 -264.8 M
(Algorithm tokens are renamed to include names of hash algorithms. ) S
11 -275.4 M
gsave
0 setgray
newpath
11.0 -275.37 2.75 0 360 arc
closepath
fill
grestore
22 -279 M
(Clarified the session management, added details of server-side protocol decisions. ) S
11 -289.6 M
gsave
0 setgray
newpath
11.0 -289.57 2.75 0 360 arc
closepath
fill
grestore
22 -293.2 M
(The whole draft was reorganized; introduction and overview has been rewritten. ) S
0 -304.2 M
[/View [/XYZ -4 452.8 null] /Dest /133 /DEST pdfmark
0 -304.2 M
[/View [/XYZ -4 452.8 null] /Dest /134 /DEST pdfmark
0 -323.2 M
15 2 Nf
(E.2.) S
[/View [/XYZ -4 451.8 null] /Dest /200 /DEST pdfmark
( Changes in revision ) S
(06) S
11 -343.8 M
gsave
0 setgray
newpath
11.0 -343.77002 2.75 0 360 arc
closepath
fill
grestore
22 -347.4 M
11 0 Nf
(Integrated Optional Mutual Authentication to the main part. ) S
11 -358 M
gsave
0 setgray
newpath
11.0 -357.970032 2.75 0 360 arc
closepath
fill
grestore
22 -361.6 M
(Clarified the decision procedure for message recognitions. ) S
11 -372.2 M
gsave
0 setgray
newpath
11.0 -372.170044 2.75 0 360 arc
closepath
fill
grestore
22 -375.8 M
2.05649042 0 32 0 0 (Clarified that a new authentication request for any sub-requests in interactive clients may be) A
22 -389 M
(silently discarded. ) S
11 -399.6 M
gsave
0 setgray
newpath
11.0 -399.570068 2.75 0 360 arc
closepath
fill
grestore
22 -403.2 M
(Typos and confusing phrases are fixed. ) S
11 -413.8 M
gsave
0 setgray
newpath
11.0 -413.770081 2.75 0 360 arc
closepath
fill
grestore
22 -417.4 M
(Several "future considerations" are ) S
(added.) S
0 -441.6 M
(The field "version" is NOT changed from the previous draft, as the semantics has not been changed. ) S
0 -452.6 M
[/View [/XYZ -4 304.399902 null] /Dest /135 /DEST pdfmark
0 -452.6 M
[/View [/XYZ -4 304.399902 null] /Dest /136 /DEST pdfmark
0 -471.6 M
15 2 Nf
(E.3.) S
[/View [/XYZ -4 303.399902 null] /Dest /201 /DEST pdfmark
( Changes in revision ) S
(05) S
11 -492.2 M
gsave
0 setgray
newpath
11.0 -492.170105 2.75 0 360 arc
closepath
fill
grestore
22 -495.8 M
11 0 Nf
3.47806501 0 32 0 0 (A new field "version" is added for supporting future incompatible changes with a single) A
22 -509 M
(implementation. In the \(first\) final specification its value will be changed to 1. ) S
11 -519.6 M
gsave
0 setgray
newpath
11.0 -519.570129 2.75 0 360 arc
closepath
fill
grestore
22 -523.2 M
6.18185759 0 32 0 0 (A new header "Authentication-Control" added for precise control of application-level) A
22 -536.4 M
(authentication ) S
(behavior.) S
0 -547.4 M
[/View [/XYZ -4 209.599854 null] /Dest /137 /DEST pdfmark
0 -547.4 M
[/View [/XYZ -4 209.599854 null] /Dest /138 /DEST pdfmark
0 -566.4 M
15 2 Nf
(E.4.) S
[/View [/XYZ -4 208.599854 null] /Dest /202 /DEST pdfmark
( Changes in revision ) S
(04) S
11 -587 M
gsave
0 setgray
newpath
11.0 -586.970154 2.75 0 360 arc
closepath
fill
grestore
22 -590.6 M
11 0 Nf
0.166145831 0 32 0 0 (Changed text of patent licenses: the phrase "once the protocol is accepted as an Internet standard") A
22 -603.8 M
(is removed so that the sentence also covers the draft versions of this protocol. ) S
11 -614.4 M
gsave
0 setgray
newpath
11.0 -614.370178 2.75 0 360 arc
closepath
fill
grestore
22 -618 M
(The "tls-key" verification is now OPTIONAL. ) S
11 -628.6 M
gsave
0 setgray
newpath
11.0 -628.57019 2.75 0 360 arc
closepath
fill
grestore
22 -632.2 M
(Several description fixes and ) S
(clarifications.) S
0 -632.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 35 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 36 36
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /139 /DEST pdfmark
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /140 /DEST pdfmark
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(E.5.) S
[/View [/XYZ -4 757.0 null] /Dest /203 /DEST pdfmark
( Changes in revision ) S
(03) S
11 -38.6 M
gsave
0 setgray
newpath
11.0 -38.57 2.75 0 360 arc
closepath
fill
grestore
22 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.63454866 0 32 0 0 (Wildcard domain specifications \(e.g. "*.example.com"\) is allowed for auth-domain parameters ) A
22 -55.4 M
(\() S
gsave
newpath
25.7 -56.5 M
49.4882812 0 RL
stroke
grestore
(Section\2404.1) S
[/Rect [24.6601562 -58.15 76.1484375 -46.0500031] /Subtype /Link /Border [0 0 0] /Dest /29 /ANN pdfmark
(\). ) S
11 -66 M
gsave
0 setgray
newpath
11.0 -65.97 2.75 0 360 arc
closepath
fill
grestore
22 -69.6 M
(Specification of the "tls-cert" verification is updated \(incompatible change\). ) S
11 -80.2 M
gsave
0 setgray
newpath
11.0 -80.1700058 2.75 0 360 arc
closepath
fill
grestore
22 -83.8 M
(State transitions fixed. ) S
11 -94.4 M
gsave
0 setgray
newpath
11.0 -94.37 2.75 0 360 arc
closepath
fill
grestore
22 -98 M
(Requirements for servers about w_a values clarified. ) S
11 -108.6 M
gsave
0 setgray
newpath
11.0 -108.57 2.75 0 360 arc
closepath
fill
grestore
22 -112.2 M
(RFC references are ) S
(updated.) S
0 -123.2 M
[/View [/XYZ -4 633.8 null] /Dest /141 /DEST pdfmark
0 -123.2 M
[/View [/XYZ -4 633.8 null] /Dest /142 /DEST pdfmark
0 -142.2 M
15 2 Nf
(E.6.) S
[/View [/XYZ -4 632.8 null] /Dest /204 /DEST pdfmark
( Changes in revision ) S
(02) S
11 -162.8 M
gsave
0 setgray
newpath
11.0 -162.77 2.75 0 360 arc
closepath
fill
grestore
22 -166.4 M
11 0 Nf
(Auth-realm is extended to allow full-scheme type. ) S
11 -177 M
gsave
0 setgray
newpath
11.0 -176.97 2.75 0 360 arc
closepath
fill
grestore
22 -180.6 M
(A decision diagram for clients and decision procedures for servers are added. ) S
11 -191.2 M
gsave
0 setgray
newpath
11.0 -191.17 2.75 0 360 arc
closepath
fill
grestore
22 -194.8 M
(401-B1 and req-A3 messages are changed to have authentication realm information. ) S
11 -205.4 M
gsave
0 setgray
newpath
11.0 -205.37 2.75 0 360 arc
closepath
fill
grestore
22 -209 M
(Bugs on equations for o_A and o_B is fixed. ) S
11 -219.6 M
gsave
0 setgray
newpath
11.0 -219.569992 2.75 0 360 arc
closepath
fill
grestore
22 -223.2 M
(Detailed equations for the whole algorithm is included. ) S
11 -233.8 M
gsave
0 setgray
newpath
11.0 -233.769989 2.75 0 360 arc
closepath
fill
grestore
22 -237.4 M
(Elliptic-curve algorithms are updated. ) S
11 -248 M
gsave
0 setgray
newpath
11.0 -247.969986 2.75 0 360 arc
closepath
fill
grestore
22 -251.6 M
(Several clarifications and other minor ) S
(updates.) S
0 -262.6 M
[/View [/XYZ -4 494.400024 null] /Dest /143 /DEST pdfmark
0 -281.6 M
15 2 Nf
(Authors') S
[/View [/XYZ -4 493.400024 null] /Dest /205 /DEST pdfmark
( ) S
(Addresses) S
0 -306.9 M
11 0 Nf
(\240) S
46.2 -306.9 M
(Yutaka ) S
(Oiwa) S
0 -320.6 M
(\240) S
46.2 -320.6 M
(National Institute of Advanced Industrial Science and ) S
(Technology) S
0 -334.4 M
(\240) S
46.2 -334.4 M
(Research Center for Information ) S
(Security) S
0 -348.1 M
(\240) S
46.2 -348.1 M
(Room #1003, Akihabara ) S
(Daibiru) S
0 -361.9 M
(\240) S
46.2 -361.9 M
(1-18-13 ) S
(Sotokanda) S
0 -375.6 M
(\240) S
46.2 -375.6 M
(Chiyoda-ku, ) S
(Tokyo) S
0 -389.4 M
(\240) S
46.2 -389.4 M
(JP) S
12.9 -403.1 M
(Phone:\240) S
46.2 -403.1 M
(+81 ) S
(3-5298-4722) S
14.1 -416.9 M
(Email:\240) S
46.2 -416.9 M
gsave
newpath
46.2 -418 M
150.320312 0 RL
stroke
grestore
(mutual-auth-contact@m.aist.go.jp) S
0 -430.6 M
(\240) S
46.2 -430.6 M
(\240) S
0 -444.4 M
(\240) S
46.2 -444.4 M
(Hajime ) S
(Watanabe) S
0 -458.1 M
(\240) S
46.2 -458.1 M
(National Institute of Advanced Industrial Science and ) S
(Technology) S
0 -471.9 M
(\240) S
46.2 -471.9 M
(\240) S
0 -485.6 M
(\240) S
46.2 -485.6 M
(Hiromitsu ) S
(Takagi) S
0 -499.4 M
(\240) S
46.2 -499.4 M
(National Institute of Advanced Industrial Science and ) S
(Technology) S
0 -513.1 M
(\240) S
46.2 -513.1 M
(\240) S
0 -526.9 M
(\240) S
46.2 -526.9 M
(Yuichi ) S
(Ioku) S
0 -540.6 M
(\240) S
46.2 -540.6 M
(Yahoo! Japan, ) S
(Inc.) S
0 -554.4 M
(\240) S
46.2 -554.4 M
(Midtown ) S
(Tower) S
0 -568.1 M
(\240) S
46.2 -568.1 M
(9-7-1 ) S
(Akasaka) S
0 -581.9 M
(\240) S
46.2 -581.9 M
(Minato-ku, ) S
(Tokyo) S
0 -595.6 M
(\240) S
46.2 -595.6 M
(JP) S
0 -609.4 M
(\240) S
46.2 -609.4 M
(\240) S
0 -623.1 M
(\240) S
46.2 -623.1 M
(Tatsuya ) S
(Hayashi) S
0 -636.9 M
(\240) S
46.2 -636.9 M
(Lepidum Co. ) S
(Ltd.) S
0 -650.6 M
(\240) S
46.2 -650.6 M
(#602, Village Sasazuka ) S
(3) S
0 -664.4 M
(\240) S
46.2 -664.4 M
(1-30-3 ) S
(Sasazuka) S
46.2 -664.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 36 -) S
0 setgray
92.3 -8 M
grestore
pgsave restore N
%%Page: 37 37
%%PageResources: font Times-Roman Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -11 M
%%IncludeResource: font Times-Roman
11 0 Nf
(\240) S
46.2 -11 M
(Shibuya-ku, ) S
(Tokyo) S
0 -24.8 M
(\240) S
46.2 -24.8 M
(JP) S
0 -38.5 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 37 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%EOF
| PAFTECH AB 2003-2026 | 2026-04-24 19:32:19 |