One document matched: draft-oiwa-http-mutualauth-11.ps
%!PS-Adobe-3.0
%%Title: Mutual Authentication Protocol for HTTP
%%Creator: html2ps version 1.0 beta5
%%CreationDate: Fri May 18 15:24:17 2012
%%DocumentNeededResources: font Times-Roman Times-Bold Courier Courier-Oblique
%%+ font Helvetica
%%DocumentData: Clean7Bit
%%Orientation: Portrait
%%BoundingBox: 0 0 596 842
%%Pages: 35
%%EndComments
%%BeginProlog
/d {bind def} bind def
/D {def} d
/ie {ifelse} d
/E {exch} d
/t true D
/f false D
/FL [/Times-Roman
/Times-Italic
/Times-Bold
/Times-BoldItalic
/Courier
/Courier-Oblique
/Courier-Bold
/Courier-BoldOblique
/Helvetica
/Helvetica-Oblique
/Helvetica-Bold
/Helvetica-BoldOblique] D
/Cd {aload length 2 idiv dup dict begin {D} repeat currentdict end} D
/reencodeISO {
dup dup findfont dup length dict begin{1 index /FID ne{D}{pop pop}ie}forall
/Encoding ISOLatin1Encoding D currentdict end definefont} D
/ISOLatin1Encoding [
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright
/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash
/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon
/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N
/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright
/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m
/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/space/exclamdown/cent/sterling/currency/yen/brokenbar
/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot
/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior
/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine
/guillemotright/onequarter/onehalf/threequarters/questiondown
/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute
/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis
/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave
/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex
/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis
/yacute/thorn/ydieresis
] D
[128/backslash 129/parenleft 130/parenright 141/circumflex 142/tilde
143/perthousand 144/dagger 145/daggerdbl 146/Ydieresis 147/scaron 148/Scaron
149/oe 150/OE 151/guilsinglleft 152/guilsinglright 153/quotesinglbase
154/quotedblbase 155/quotedblleft 156/quotedblright 157/endash 158/emdash
159/trademark]
aload length 2 idiv 1 1 3 -1 roll{pop ISOLatin1Encoding 3 1 roll put}for
/colorimage where{pop}{
/colorimage {
pop pop /Pr E D {/Cv Pr D /Gr Cv length 3 idiv string D 0 1 Gr length 1 sub
{Gr E dup /i E 3 mul D Cv i get 0.299 mul Cv i 1 add get 0.587 mul add
Cv i 2 add get 0.114 mul add cvi put}for Gr} image} D
}ie
/pdfmark where{pop}{userdict /pdfmark /cleartomark load put}ie
/MySymbol 10 dict dup begin
/FontType 3 D /FontMatrix [.001 0 0 .001 0 0 ] D /FontBBox [25 -10 600 600] D
/Encoding 256 array D 0 1 255{Encoding exch /.notdef put}for
Encoding (e) 0 get /euro put
/Metrics 2 dict D Metrics begin
/.notdef 0 D
/euro 651 D
end
/BBox 2 dict D BBox begin
/.notdef [0 0 0 0] D
/euro [25 -10 600 600] D
end
/CharacterDefs 2 dict D CharacterDefs begin
/.notdef {} D
/euro{newpath 114 600 moveto 631 600 lineto 464 200 lineto 573 200 lineto
573 0 lineto -94 0 lineto 31 300 lineto -10 300 lineto closepath clip
50 setlinewidth newpath 656 300 moveto 381 300 275 0 360 arc stroke
-19 350 moveto 600 0 rlineto -19 250 moveto 600 0 rlineto stroke}d
end
/BuildChar{0 begin
/char E D /fontdict E D /charname fontdict /Encoding get char get D
fontdict begin
Metrics charname get 0 BBox charname get aload pop setcachedevice
CharacterDefs charname get exec
end
end}D
/BuildChar load 0 3 dict put /UniqueID 1 D
end
definefont pop
/Nf {dup 0 ge{FL E get}{-1 eq{/Symbol}{/MySymbol}ie}ie findfont
E scalefont setfont} D
/IP {currentfile picstr readhexstring pop} D
/WF t D
/F 1 D
/N {showpage} d
/RL {rlineto} d
/S {show} d
/L {lineto} d
/M {moveto} d
/A {awidthshow} d
/RM {rmoveto} d
%%EndProlog
%%BeginSetup
%%PaperSize: A4
WF{FL{reencodeISO D}forall}{4 1 FL length 1 sub{FL E get reencodeISO D}for}ie
/Symbol dup dup findfont dup length dict begin
{1 index /FID ne{D}{pop pop}ie}forall /Encoding [Encoding aload pop]
dup 128 /therefore put D currentdict end definefont D
[/Creator (html2ps version 1.0 beta5) /Author () /Keywords (HTTP, authentication) /Subject () /Title (Mutual Authentication Protocol for HTTP) /DOCINFO pdfmark
[/PageMode /UseOutlines /DOCVIEW pdfmark
[/Count 1 /Dest /152 /Title (Mutual Authentication Protocol for HTTP draft-oiwa-http-mutualauth-11) /OUT pdfmark
[/Count 36 /Dest /153 /Title () /OUT pdfmark
[/Dest /153 /Title (Abstract) /OUT pdfmark
[/Dest /154 /Title (Status of this Memo) /OUT pdfmark
[/Dest /155 /Title (Copyright Notice) /OUT pdfmark
[/Dest /156 /Title (Table of Contents) /OUT pdfmark
[/Count -11 /Dest /157 /Title (1. Introduction) /OUT pdfmark
[/Dest /158 /Title (1.1. Relations to other technologies) /OUT pdfmark
[/Dest /159 /Title (1.1.1. Technologies updated or superceded by this proposal) /OUT pdfmark
[/Dest /160 /Title (1.1.1.1. HTTP Basic and Digest authentication) /OUT pdfmark
[/Dest /161 /Title (1.1.1.2. HTML Form authentication) /OUT pdfmark
[/Dest /162 /Title (1.1.2. Technologies not updated by this proposal) /OUT pdfmark
[/Dest /163 /Title (1.1.2.1. Federated identity/authorization management) /OUT pdfmark
[/Dest /164 /Title (1.1.2.2. HTTPS and HTTPS client-certificate authentication) /OUT pdfmark
[/Dest /165 /Title (1.1.2.3. Relationship with local identity-management frameworks) /OUT pdfmark
[/Dest /166 /Title (1.1.2.4. HTTP and HTTP authentication architecture) /OUT pdfmark
[/Dest /167 /Title (1.2. Terminology) /OUT pdfmark
[/Dest /168 /Title (1.3. Document Structure and Related Documents) /OUT pdfmark
[/Count -3 /Dest /169 /Title (2. Protocol Overview) /OUT pdfmark
[/Dest /170 /Title (2.1. Messages Overview) /OUT pdfmark
[/Dest /171 /Title (2.2. Typical Flows of the Protocol) /OUT pdfmark
[/Dest /172 /Title (2.3. Alternative Flows) /OUT pdfmark
[/Count -4 /Dest /173 /Title (3. Message Syntax) /OUT pdfmark
[/Dest /174 /Title (3.1. Values) /OUT pdfmark
[/Dest /175 /Title (3.1.1. Tokens) /OUT pdfmark
[/Dest /176 /Title (3.1.2. Strings) /OUT pdfmark
[/Dest /177 /Title (3.1.3. Numbers) /OUT pdfmark
[/Count -5 /Dest /178 /Title (4. Messages) /OUT pdfmark
[/Dest /179 /Title (4.1. 401-INIT and 401-STALE) /OUT pdfmark
[/Dest /180 /Title (4.2. req-KEX-C1) /OUT pdfmark
[/Dest /181 /Title (4.3. 401-KEX-S1) /OUT pdfmark
[/Dest /182 /Title (4.4. req-VFY-C) /OUT pdfmark
[/Dest /183 /Title (4.5. 200-VFY-S) /OUT pdfmark
[/Count -1 /Dest /184 /Title (5. Authentication Realms) /OUT pdfmark
[/Dest /185 /Title (5.1. Resolving Ambiguities) /OUT pdfmark
[/Dest /186 /Title (6. Session Management) /OUT pdfmark
[/Dest /187 /Title (7. Validation Methods) /OUT pdfmark
[/Dest /188 /Title (8. Authentication Extensions) /OUT pdfmark
[/Dest /189 /Title (9. Decision Procedure for Clients) /OUT pdfmark
[/Dest /190 /Title (10. Decision Procedure for Servers) /OUT pdfmark
[/Count -2 /Dest /191 /Title (11. Authentication Algorithms) /OUT pdfmark
[/Dest /192 /Title (11.1. Support Functions and Notations) /OUT pdfmark
[/Dest /193 /Title (11.2. Default Functions for Algorithms) /OUT pdfmark
[/Dest /194 /Title (12. Application Channel Binding) /OUT pdfmark
[/Dest /195 /Title (13. Application for Proxy Authentication) /OUT pdfmark
[/Dest /196 /Title (14. Methods to Extend This Protocol) /OUT pdfmark
[/Dest /197 /Title (15. IANA Considerations) /OUT pdfmark
[/Count -4 /Dest /198 /Title (16. Security Considerations) /OUT pdfmark
[/Dest /199 /Title (16.1. Security Properties) /OUT pdfmark
[/Dest /200 /Title (16.2. Denial-of-service Attacks to Servers) /OUT pdfmark
[/Dest /201 /Title (16.3. Implementation Considerations) /OUT pdfmark
[/Dest /202 /Title (16.4. Usage Considerations) /OUT pdfmark
[/Dest /203 /Title (17. Notice on Intellectual Properties) /OUT pdfmark
[/Count -2 /Dest /204 /Title (18. References) /OUT pdfmark
[/Dest /205 /Title (18.1. Normative References) /OUT pdfmark
[/Dest /206 /Title (18.2. Informative References) /OUT pdfmark
[/Dest /207 /Title (Appendix A. \(Informative\) Draft Remarks from Authors) /OUT pdfmark
[/Dest /208 /Title (Appendix B. \(Informative\) Draft Change Log) /OUT pdfmark
[/Dest /209 /Title (B.1. Changes in Revision 11) /OUT pdfmark
[/Dest /210 /Title (B.2. Changes in Revision 10) /OUT pdfmark
[/Dest /211 /Title (B.3. Changes in Revision 09) /OUT pdfmark
[/Dest /212 /Title (B.4. Changes in Revision 08) /OUT pdfmark
[/Dest /213 /Title (B.5. Changes in Revision 07) /OUT pdfmark
[/Dest /214 /Title (B.6. Changes in Revision 06) /OUT pdfmark
[/Dest /215 /Title (B.7. Changes in Revision 05) /OUT pdfmark
[/Dest /216 /Title (B.8. Changes in Revision 04) /OUT pdfmark
[/Dest /217 /Title (B.9. Changes in Revision 03) /OUT pdfmark
[/Dest /218 /Title (B.10. Changes in Revision 02) /OUT pdfmark
[/Dest /219 /Title (B.11. Changes in Revision 01) /OUT pdfmark
[/Dest /220 /Title (Authors' Addresses) /OUT pdfmark
%%EndSetup
%%Page: 1 1
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 842 null] /Dest /0 /DEST pdfmark
0 -0 M
save
2.5 -13.5 M
%%IncludeResource: font Times-Roman
11 0 Nf
(Internet Engineering Task ) S
(Force) S
209.6 -13.5 M
(Y. ) S
(Oiwa) S
2.5 -32.2 M
(Internet-Draft) S
209.6 -32.2 M
(H. ) S
(Watanabe) S
2.5 -51 M
(Intended status: Standards ) S
(Track) S
209.6 -51 M
(H. ) S
(Takagi) S
2.5 -69.8 M
(Expires: November 19, ) S
(2012) S
209.6 -69.8 M
(RISEC, ) S
(AIST) S
2.5 -88.5 M
(\240) S
209.6 -88.5 M
(B. ) S
(Kihara) S
2.5 -107.2 M
(\240) S
209.6 -107.2 M
(T. ) S
(Hayashi) S
2.5 -126 M
(\240) S
209.6 -126 M
(Lepidum) S
2.5 -144.8 M
(\240) S
209.6 -144.8 M
(Y. ) S
(Ioku) S
2.5 -163.5 M
(\240) S
209.6 -163.5 M
(Yahoo! ) S
(Japan) S
2.5 -182.2 M
(\240) S
209.6 -182.2 M
(May 18, ) S
(2012) S
0 -187.5 M
restore
227 -202.7 M
[/View [/XYZ -4 842 null] /Dest /152 /DEST pdfmark
54.5 -221.7 M
%%IncludeResource: font Times-Bold
19 2 Nf
(Mutual Authentication Protocol for ) S
(HTTP) S
100.9 -244.5 M
(draft-oiwa-http-mutualauth-11) S
0 -274.5 M
15 2 Nf
(Abstract) S
[/View [/XYZ -4 500.5 null] /Dest /153 /DEST pdfmark
0 -298.7 M
11 0 Nf
3.428267 0 32 0 0 (This document specifies a mutual authentication method for the Hyper-text Transport Protocol) A
0 -311.9 M
1.42717636 0 32 0 0 (\(HTTP\). This method provides a true mutual authentication between an HTTP client and an HTTP) A
0 -325.1 M
0.872514188 0 32 0 0 (server using password-based authentication. Unlike the Basic and Digest authentication methods, the) A
0 -338.3 M
0.794642866 0 32 0 0 (Mutual authentication method specified in this document assures the user that the server truly knows) A
0 -351.5 M
0.0869140625 0 32 0 0 (the user's encrypted password. This prevents common phishing attacks: a phishing attacker controlling) A
0 -364.7 M
0.398177087 0 32 0 0 (a fake website cannot convince a user that he authenticated to the genuine website. Furthermore, even) A
0 -377.9 M
1.0291667 0 32 0 0 (when a user authenticates to an illegitimate server, the server cannot gain any information about the) A
0 -391.1 M
0.26953125 0 32 0 0 (user's password. The Mutual authentication method is designed as an extension to the HTTP protocol,) A
0 -404.3 M
0.0888020843 0 32 0 0 (and is intended to replace the existing authentication methods used in HTTP \(the Basic method, Digest) A
0 -417.5 M
(method, and authentication using HTML forms\). ) S
0 -447.5 M
15 2 Nf
(Status) S
[/View [/XYZ -4 327.499878 null] /Dest /154 /DEST pdfmark
( of this ) S
(Memo) S
0 -471.7 M
11 0 Nf
(This Internet-Draft is submitted in full conformance with the provisions of BCP\24078 and ) S
(BCP\24079.) S
0 -495.9 M
0.34375 0 32 0 0 (Internet-Drafts are working documents of the Internet Engineering Task Force \(IETF\). Note that other) A
0 -509.1 M
0.389423072 0 32 0 0 (groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is) A
0 -522.3 M
(at ) S
(http://datatracker.ietf.org/drafts/current/.) S
0 -546.5 M
0.275781244 0 32 0 0 (Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced,) A
0 -559.7 M
1.51927078 0 32 0 0 (or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference) A
0 -572.9 M
(material or to cite them other than as \233work in ) S
(progress.\234) S
0 -597.1 M
(This Internet-Draft will expire on November 19, ) S
(2012.) S
0 -609.1 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 1 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 2 2
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(Copyright) S
[/View [/XYZ -4 757.0 null] /Dest /155 /DEST pdfmark
( ) S
(Notice) S
0 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(Copyright \(c\) 2012 IETF Trust and the persons identified as the document authors. All rights ) S
(reserved.) S
0 -66.4 M
3.1208334 0 32 0 0 (This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF) A
0 -79.6 M
1.34730113 0 32 0 0 (Documents \(http://trustee.ietf.org/license-info\) in effect on the date of publication of this document.) A
0 -92.8 M
0.819475472 0 32 0 0 (Please review these documents carefully, as they describe your rights and restrictions with respect to) A
0 -106 M
0.287109375 0 32 0 0 (this document. Code Components extracted from this document must include Simplified BSD License) A
0 -119.2 M
1.24951172 0 32 0 0 (text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as) A
0 -132.4 M
(described in the Simplified BSD ) S
(License.) S
0 -143.4 M
[/View [/XYZ -4 613.6 null] /Dest /1 /DEST pdfmark
0 -162.4 M
15 2 Nf
(Table) S
[/View [/XYZ -4 612.6 null] /Dest /156 /DEST pdfmark
( of ) S
(Contents) S
0 -186.6 M
gsave
newpath
0 -187.7 M
8.25 0 RL
stroke
grestore
11 0 Nf
(1.) S
[/Rect [-1.0 -189.349991 9.25 -177.249985] /Subtype /Link /Border [0 0 0] /Dest /2 /ANN pdfmark
(\240 ) S
(Introduction) S
0 -199.8 M
(\240\240\240\240) S
gsave
newpath
11 -200.9 M
16.5 0 RL
stroke
grestore
(1.1.) S
[/Rect [10.0 -202.549988 28.5 -190.449982] /Subtype /Link /Border [0 0 0] /Dest /4 /ANN pdfmark
(\240 Relations to other ) S
(technologies) S
0 -213 M
(\240\240\240\240\240\240\240\240) S
gsave
newpath
22 -214.1 M
24.75 0 RL
stroke
grestore
(1.1.1.) S
[/Rect [21.0 -215.749985 47.75 -203.649979] /Subtype /Link /Border [0 0 0] /Dest /6 /ANN pdfmark
(\240 Technologies updated or superceded by this ) S
(proposal) S
0 -226.2 M
(\240\240\240\240\240\240\240\240\240\240\240\240) S
gsave
newpath
33 -227.3 M
33.0 0 RL
stroke
grestore
(1.1.1.1.) S
[/Rect [32.0 -228.949982 67.0 -216.849976] /Subtype /Link /Border [0 0 0] /Dest /8 /ANN pdfmark
(\240 HTTP Basic and Digest ) S
(authentication) S
0 -239.4 M
(\240\240\240\240\240\240\240\240\240\240\240\240) S
gsave
newpath
33 -240.5 M
33.0 0 RL
stroke
grestore
(1.1.1.2.) S
[/Rect [32.0 -242.149979 67.0 -230.049973] /Subtype /Link /Border [0 0 0] /Dest /10 /ANN pdfmark
(\240 HTML Form ) S
(authentication) S
0 -252.6 M
(\240\240\240\240\240\240\240\240) S
gsave
newpath
22 -253.7 M
24.75 0 RL
stroke
grestore
(1.1.2.) S
[/Rect [21.0 -255.349976 47.75 -243.249969] /Subtype /Link /Border [0 0 0] /Dest /12 /ANN pdfmark
(\240 Technologies not updated by this ) S
(proposal) S
0 -265.8 M
(\240\240\240\240\240\240\240\240\240\240\240\240) S
gsave
newpath
33 -266.9 M
33.0 0 RL
stroke
grestore
(1.1.2.1.) S
[/Rect [32.0 -268.55 67.0 -256.449982] /Subtype /Link /Border [0 0 0] /Dest /14 /ANN pdfmark
(\240 Federated identity/authorization ) S
(management) S
0 -279 M
(\240\240\240\240\240\240\240\240\240\240\240\240) S
gsave
newpath
33 -280.1 M
33.0 0 RL
stroke
grestore
(1.1.2.2.) S
[/Rect [32.0 -281.75 67.0 -269.65] /Subtype /Link /Border [0 0 0] /Dest /16 /ANN pdfmark
(\240 HTTPS and HTTPS client-certificate ) S
(authentication) S
0 -292.2 M
(\240\240\240\240\240\240\240\240\240\240\240\240) S
gsave
newpath
33 -293.3 M
33.0 0 RL
stroke
grestore
(1.1.2.3.) S
[/Rect [32.0 -294.95 67.0 -282.85] /Subtype /Link /Border [0 0 0] /Dest /18 /ANN pdfmark
(\240 Relationship with local identity-management ) S
(frameworks) S
0 -305.4 M
(\240\240\240\240\240\240\240\240\240\240\240\240) S
gsave
newpath
33 -306.5 M
33.0 0 RL
stroke
grestore
(1.1.2.4.) S
[/Rect [32.0 -308.150024 67.0 -296.050018] /Subtype /Link /Border [0 0 0] /Dest /20 /ANN pdfmark
(\240 HTTP and HTTP authentication ) S
(architecture) S
0 -318.6 M
(\240\240\240\240) S
gsave
newpath
11 -319.7 M
16.5 0 RL
stroke
grestore
(1.2.) S
[/Rect [10.0 -321.350037 28.5 -309.250031] /Subtype /Link /Border [0 0 0] /Dest /22 /ANN pdfmark
(\240 ) S
(Terminology) S
0 -331.8 M
(\240\240\240\240) S
gsave
newpath
11 -332.9 M
16.5 0 RL
stroke
grestore
(1.3.) S
[/Rect [10.0 -334.550049 28.5 -322.450043] /Subtype /Link /Border [0 0 0] /Dest /24 /ANN pdfmark
(\240 Document Structure and Related ) S
(Documents) S
0 -345 M
gsave
newpath
0 -346.1 M
8.25 0 RL
stroke
grestore
(2.) S
[/Rect [-1.0 -347.750061 9.25 -335.650055] /Subtype /Link /Border [0 0 0] /Dest /26 /ANN pdfmark
(\240 Protocol ) S
(Overview) S
0 -358.2 M
(\240\240\240\240) S
gsave
newpath
11 -359.3 M
16.5 0 RL
stroke
grestore
(2.1.) S
[/Rect [10.0 -360.950073 28.5 -348.850067] /Subtype /Link /Border [0 0 0] /Dest /28 /ANN pdfmark
(\240 Messages ) S
(Overview) S
0 -371.4 M
(\240\240\240\240) S
gsave
newpath
11 -372.5 M
16.5 0 RL
stroke
grestore
(2.2.) S
[/Rect [10.0 -374.150085 28.5 -362.050079] /Subtype /Link /Border [0 0 0] /Dest /30 /ANN pdfmark
(\240 Typical Flows of the ) S
(Protocol) S
0 -384.6 M
(\240\240\240\240) S
gsave
newpath
11 -385.7 M
16.5 0 RL
stroke
grestore
(2.3.) S
[/Rect [10.0 -387.350098 28.5 -375.250092] /Subtype /Link /Border [0 0 0] /Dest /33 /ANN pdfmark
(\240 Alternative ) S
(Flows) S
0 -397.8 M
gsave
newpath
0 -398.9 M
8.25 0 RL
stroke
grestore
(3.) S
[/Rect [-1.0 -400.55011 9.25 -388.450104] /Subtype /Link /Border [0 0 0] /Dest /36 /ANN pdfmark
(\240 Message ) S
(Syntax) S
0 -411 M
(\240\240\240\240) S
gsave
newpath
11 -412.1 M
16.5 0 RL
stroke
grestore
(3.1.) S
[/Rect [10.0 -413.750122 28.5 -401.650116] /Subtype /Link /Border [0 0 0] /Dest /38 /ANN pdfmark
(\240 ) S
(Values) S
0 -424.2 M
(\240\240\240\240\240\240\240\240) S
gsave
newpath
22 -425.3 M
24.75 0 RL
stroke
grestore
(3.1.1.) S
[/Rect [21.0 -426.950134 47.75 -414.850128] /Subtype /Link /Border [0 0 0] /Dest /40 /ANN pdfmark
(\240 ) S
(Tokens) S
0 -437.4 M
(\240\240\240\240\240\240\240\240) S
gsave
newpath
22 -438.5 M
24.75 0 RL
stroke
grestore
(3.1.2.) S
[/Rect [21.0 -440.150146 47.75 -428.05014] /Subtype /Link /Border [0 0 0] /Dest /43 /ANN pdfmark
(\240 ) S
(Strings) S
0 -450.6 M
(\240\240\240\240\240\240\240\240) S
gsave
newpath
22 -451.7 M
24.75 0 RL
stroke
grestore
(3.1.3.) S
[/Rect [21.0 -453.350159 47.75 -441.250153] /Subtype /Link /Border [0 0 0] /Dest /45 /ANN pdfmark
(\240 ) S
(Numbers) S
0 -463.8 M
gsave
newpath
0 -464.9 M
8.25 0 RL
stroke
grestore
(4.) S
[/Rect [-1.0 -466.550171 9.25 -454.450165] /Subtype /Link /Border [0 0 0] /Dest /48 /ANN pdfmark
(\240 ) S
(Messages) S
0 -477 M
(\240\240\240\240) S
gsave
newpath
11 -478.1 M
16.5 0 RL
stroke
grestore
(4.1.) S
[/Rect [10.0 -479.750183 28.5 -467.650177] /Subtype /Link /Border [0 0 0] /Dest /50 /ANN pdfmark
(\240 401-INIT and ) S
(401-STALE) S
0 -490.2 M
(\240\240\240\240) S
gsave
newpath
11 -491.3 M
16.5 0 RL
stroke
grestore
(4.2.) S
[/Rect [10.0 -492.950195 28.5 -480.850189] /Subtype /Link /Border [0 0 0] /Dest /52 /ANN pdfmark
(\240 ) S
(req-KEX-C1) S
0 -503.4 M
(\240\240\240\240) S
gsave
newpath
11 -504.5 M
16.5 0 RL
stroke
grestore
(4.3.) S
[/Rect [10.0 -506.150208 28.5 -494.050201] /Subtype /Link /Border [0 0 0] /Dest /54 /ANN pdfmark
(\240 ) S
(401-KEX-S1) S
0 -516.6 M
(\240\240\240\240) S
gsave
newpath
11 -517.7 M
16.5 0 RL
stroke
grestore
(4.4.) S
[/Rect [10.0 -519.35022 28.5 -507.250214] /Subtype /Link /Border [0 0 0] /Dest /56 /ANN pdfmark
(\240 ) S
(req-VFY-C) S
0 -529.8 M
(\240\240\240\240) S
gsave
newpath
11 -530.9 M
16.5 0 RL
stroke
grestore
(4.5.) S
[/Rect [10.0 -532.550232 28.5 -520.450256] /Subtype /Link /Border [0 0 0] /Dest /58 /ANN pdfmark
(\240 ) S
(200-VFY-S) S
0 -543 M
gsave
newpath
0 -544.1 M
8.25 0 RL
stroke
grestore
(5.) S
[/Rect [-1.0 -545.750244 9.25 -533.650269] /Subtype /Link /Border [0 0 0] /Dest /60 /ANN pdfmark
(\240 Authentication ) S
(Realms) S
0 -556.2 M
(\240\240\240\240) S
gsave
newpath
11 -557.3 M
16.5 0 RL
stroke
grestore
(5.1.) S
[/Rect [10.0 -558.950256 28.5 -546.850281] /Subtype /Link /Border [0 0 0] /Dest /62 /ANN pdfmark
(\240 Resolving ) S
(Ambiguities) S
0 -569.4 M
gsave
newpath
0 -570.5 M
8.25 0 RL
stroke
grestore
(6.) S
[/Rect [-1.0 -572.150269 9.25 -560.050293] /Subtype /Link /Border [0 0 0] /Dest /64 /ANN pdfmark
(\240 Session ) S
(Management) S
0 -582.6 M
gsave
newpath
0 -583.7 M
8.25 0 RL
stroke
grestore
(7.) S
[/Rect [-1.0 -585.350281 9.25 -573.250305] /Subtype /Link /Border [0 0 0] /Dest /66 /ANN pdfmark
(\240 Validation ) S
(Methods) S
0 -595.8 M
gsave
newpath
0 -596.9 M
8.25 0 RL
stroke
grestore
(8.) S
[/Rect [-1.0 -598.550293 9.25 -586.450317] /Subtype /Link /Border [0 0 0] /Dest /68 /ANN pdfmark
(\240 Authentication ) S
(Extensions) S
0 -609 M
gsave
newpath
0 -610.1 M
8.25 0 RL
stroke
grestore
(9.) S
[/Rect [-1.0 -611.750305 9.25 -599.65033] /Subtype /Link /Border [0 0 0] /Dest /70 /ANN pdfmark
(\240 Decision Procedure for ) S
(Clients) S
0 -622.2 M
gsave
newpath
0 -623.3 M
13.75 0 RL
stroke
grestore
(10.) S
[/Rect [-1.0 -624.950317 14.75 -612.850342] /Subtype /Link /Border [0 0 0] /Dest /73 /ANN pdfmark
(\240 Decision Procedure for ) S
(Servers) S
0 -635.4 M
gsave
newpath
0 -636.5 M
13.75 0 RL
stroke
grestore
(11.) S
[/Rect [-1.0 -638.15033 14.75 -626.050354] /Subtype /Link /Border [0 0 0] /Dest /75 /ANN pdfmark
(\240 Authentication ) S
(Algorithms) S
0 -648.6 M
(\240\240\240\240) S
gsave
newpath
11 -649.7 M
22.0 0 RL
stroke
grestore
(11.1.) S
[/Rect [10.0 -651.350342 34.0 -639.250366] /Subtype /Link /Border [0 0 0] /Dest /77 /ANN pdfmark
(\240 Support Functions and ) S
(Notations) S
0 -661.8 M
(\240\240\240\240) S
gsave
newpath
11 -662.9 M
22.0 0 RL
stroke
grestore
(11.2.) S
[/Rect [10.0 -664.550354 34.0 -652.450378] /Subtype /Link /Border [0 0 0] /Dest /79 /ANN pdfmark
(\240 Default Functions for ) S
(Algorithms) S
0 -661.8 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 2 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 3 3
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
gsave
newpath
0 -14.3 M
13.75 0 RL
stroke
grestore
%%IncludeResource: font Times-Roman
11 0 Nf
(12.) S
[/Rect [-1.0 -15.9500008 14.75 -3.85000038] /Subtype /Link /Border [0 0 0] /Dest /81 /ANN pdfmark
(\240 Application Channel ) S
(Binding) S
0 -26.4 M
gsave
newpath
0 -27.5 M
13.75 0 RL
stroke
grestore
11 0 Nf
(13.) S
[/Rect [-1.0 -29.1500015 14.75 -17.0500011] /Subtype /Link /Border [0 0 0] /Dest /83 /ANN pdfmark
(\240 Application for Proxy ) S
(Authentication) S
0 -39.6 M
gsave
newpath
0 -40.7 M
13.75 0 RL
stroke
grestore
(14.) S
[/Rect [-1.0 -42.3500023 14.75 -30.2500019] /Subtype /Link /Border [0 0 0] /Dest /85 /ANN pdfmark
(\240 Methods to Extend This ) S
(Protocol) S
0 -52.8 M
gsave
newpath
0 -53.9 M
13.75 0 RL
stroke
grestore
(15.) S
[/Rect [-1.0 -55.5500031 14.75 -43.4500046] /Subtype /Link /Border [0 0 0] /Dest /87 /ANN pdfmark
(\240 IANA ) S
(Considerations) S
0 -66 M
gsave
newpath
0 -67.1 M
13.75 0 RL
stroke
grestore
(16.) S
[/Rect [-1.0 -68.75 14.75 -56.65] /Subtype /Link /Border [0 0 0] /Dest /89 /ANN pdfmark
(\240 Security ) S
(Considerations) S
0 -79.2 M
(\240\240\240\240) S
gsave
newpath
11 -80.3 M
22.0 0 RL
stroke
grestore
(16.1.) S
[/Rect [10.0 -81.95 34.0 -69.85] /Subtype /Link /Border [0 0 0] /Dest /91 /ANN pdfmark
(\240 Security ) S
(Properties) S
0 -92.4 M
(\240\240\240\240) S
gsave
newpath
11 -93.5 M
22.0 0 RL
stroke
grestore
(16.2.) S
[/Rect [10.0 -95.1499939 34.0 -83.0499954] /Subtype /Link /Border [0 0 0] /Dest /93 /ANN pdfmark
(\240 Denial-of-service Attacks to ) S
(Servers) S
0 -105.6 M
(\240\240\240\240) S
gsave
newpath
11 -106.7 M
22.0 0 RL
stroke
grestore
(16.3.) S
[/Rect [10.0 -108.349991 34.0 -96.2499924] /Subtype /Link /Border [0 0 0] /Dest /95 /ANN pdfmark
(\240 Implementation ) S
(Considerations) S
0 -118.8 M
(\240\240\240\240) S
gsave
newpath
11 -119.9 M
22.0 0 RL
stroke
grestore
(16.4.) S
[/Rect [10.0 -121.549988 34.0 -109.449989] /Subtype /Link /Border [0 0 0] /Dest /97 /ANN pdfmark
(\240 Usage ) S
(Considerations) S
0 -132 M
gsave
newpath
0 -133.1 M
13.75 0 RL
stroke
grestore
(17.) S
[/Rect [-1.0 -134.749985 14.75 -122.649986] /Subtype /Link /Border [0 0 0] /Dest /99 /ANN pdfmark
(\240 Notice on Intellectual ) S
(Properties) S
0 -145.2 M
gsave
newpath
0 -146.3 M
13.75 0 RL
stroke
grestore
(18.) S
[/Rect [-1.0 -147.949982 14.75 -135.849976] /Subtype /Link /Border [0 0 0] /Dest /103 /ANN pdfmark
(\240 ) S
(References) S
0 -158.4 M
(\240\240\240\240) S
gsave
newpath
11 -159.5 M
22.0 0 RL
stroke
grestore
(18.1.) S
[/Rect [10.0 -161.149979 34.0 -149.049973] /Subtype /Link /Border [0 0 0] /Dest /103 /ANN pdfmark
(\240 Normative ) S
(References) S
0 -171.6 M
(\240\240\240\240) S
gsave
newpath
11 -172.7 M
22.0 0 RL
stroke
grestore
(18.2.) S
[/Rect [10.0 -174.349976 34.0 -162.249969] /Subtype /Link /Border [0 0 0] /Dest /114 /ANN pdfmark
(\240 Informative ) S
(References) S
0 -184.8 M
gsave
newpath
0 -185.9 M
56.8203125 0 RL
stroke
grestore
(Appendix\240A.) S
[/Rect [-1.0 -187.549973 57.8203125 -175.449966] /Subtype /Link /Border [0 0 0] /Dest /125 /ANN pdfmark
(\240 \(Informative\) Draft Remarks from ) S
(Authors) S
0 -198 M
gsave
newpath
0 -199.1 M
56.2148438 0 RL
stroke
grestore
(Appendix\240B.) S
[/Rect [-1.0 -200.749969 57.2148438 -188.649963] /Subtype /Link /Border [0 0 0] /Dest /127 /ANN pdfmark
(\240 \(Informative\) Draft Change ) S
(Log) S
0 -211.2 M
(\240\240\240\240) S
gsave
newpath
11 -212.3 M
18.3359375 0 RL
stroke
grestore
(B.1.) S
[/Rect [10.0 -213.949966 30.3359375 -201.84996] /Subtype /Link /Border [0 0 0] /Dest /129 /ANN pdfmark
(\240 Changes in Revision ) S
(11) S
0 -224.4 M
(\240\240\240\240) S
gsave
newpath
11 -225.5 M
18.3359375 0 RL
stroke
grestore
(B.2.) S
[/Rect [10.0 -227.149963 30.3359375 -215.049957] /Subtype /Link /Border [0 0 0] /Dest /131 /ANN pdfmark
(\240 Changes in Revision ) S
(10) S
0 -237.6 M
(\240\240\240\240) S
gsave
newpath
11 -238.7 M
18.3359375 0 RL
stroke
grestore
(B.3.) S
[/Rect [10.0 -240.34996 30.3359375 -228.249954] /Subtype /Link /Border [0 0 0] /Dest /133 /ANN pdfmark
(\240 Changes in Revision ) S
(09) S
0 -250.8 M
(\240\240\240\240) S
gsave
newpath
11 -251.9 M
18.3359375 0 RL
stroke
grestore
(B.4.) S
[/Rect [10.0 -253.549957 30.3359375 -241.449951] /Subtype /Link /Border [0 0 0] /Dest /135 /ANN pdfmark
(\240 Changes in Revision ) S
(08) S
0 -264 M
(\240\240\240\240) S
gsave
newpath
11 -265.1 M
18.3359375 0 RL
stroke
grestore
(B.5.) S
[/Rect [10.0 -266.749969 30.3359375 -254.649963] /Subtype /Link /Border [0 0 0] /Dest /137 /ANN pdfmark
(\240 Changes in Revision ) S
(07) S
0 -277.2 M
(\240\240\240\240) S
gsave
newpath
11 -278.3 M
18.3359375 0 RL
stroke
grestore
(B.6.) S
[/Rect [10.0 -279.949982 30.3359375 -267.849976] /Subtype /Link /Border [0 0 0] /Dest /139 /ANN pdfmark
(\240 Changes in Revision ) S
(06) S
0 -290.4 M
(\240\240\240\240) S
gsave
newpath
11 -291.5 M
18.3359375 0 RL
stroke
grestore
(B.7.) S
[/Rect [10.0 -293.15 30.3359375 -281.05] /Subtype /Link /Border [0 0 0] /Dest /141 /ANN pdfmark
(\240 Changes in Revision ) S
(05) S
0 -303.6 M
(\240\240\240\240) S
gsave
newpath
11 -304.7 M
18.3359375 0 RL
stroke
grestore
(B.8.) S
[/Rect [10.0 -306.35 30.3359375 -294.25] /Subtype /Link /Border [0 0 0] /Dest /143 /ANN pdfmark
(\240 Changes in Revision ) S
(04) S
0 -316.8 M
(\240\240\240\240) S
gsave
newpath
11 -317.9 M
18.3359375 0 RL
stroke
grestore
(B.9.) S
[/Rect [10.0 -319.550018 30.3359375 -307.45] /Subtype /Link /Border [0 0 0] /Dest /145 /ANN pdfmark
(\240 Changes in Revision ) S
(03) S
0 -330 M
(\240\240\240\240) S
gsave
newpath
11 -331.1 M
23.8359375 0 RL
stroke
grestore
(B.10.) S
[/Rect [10.0 -332.750031 35.8359375 -320.650024] /Subtype /Link /Border [0 0 0] /Dest /147 /ANN pdfmark
(\240 Changes in Revision ) S
(02) S
0 -343.2 M
(\240\240\240\240) S
gsave
newpath
11 -344.3 M
23.8359375 0 RL
stroke
grestore
(B.11.) S
[/Rect [10.0 -345.950043 35.8359375 -333.850037] /Subtype /Link /Border [0 0 0] /Dest /149 /ANN pdfmark
(\240 Changes in Revision ) S
(01) S
0 -356.4 M
gsave
newpath
0 -357.5 M
5.5 0 RL
stroke
grestore
(\247) S
[/Rect [-1.0 -359.150055 6.5 -347.050049] /Subtype /Link /Border [0 0 0] /Dest /151 /ANN pdfmark
(\240 Authors' ) S
(Addresses) S
0 -367.4 M
[/View [/XYZ -4 389.599945 null] /Dest /2 /DEST pdfmark
0 -367.4 M
[/View [/XYZ -4 389.599945 null] /Dest /3 /DEST pdfmark
0 -386.4 M
%%IncludeResource: font Times-Bold
15 2 Nf
(1.) S
[/View [/XYZ -4 388.599945 null] /Dest /157 /DEST pdfmark
( ) S
(Introduction) S
0 -410.6 M
11 0 Nf
0.901988626 0 32 0 0 (This document specifies a mutual authentication method for Hyper-Text Transport Protocol \(HTTP\).) A
0 -423.8 M
3.13020825 0 32 0 0 (The method, called "Mutual Authentication Protocol" in this document, provides a true mutual) A
0 -437 M
2.5744791 0 32 0 0 (authentication between an HTTP client and an HTTP server, using just a simple password as a) A
0 -450.2 M
(credential. ) S
0 -474.4 M
4.390625 0 32 0 0 (The currently available methods for authentication in HTTP and Web systems have several) A
0 -487.6 M
2.42936206 0 32 0 0 (deficiencies. The ) A
gsave
newpath
82.7 -488.7 M
97.0970078 0 RL
stroke
grestore
2.42936206 0 32 0 0 (Basic authentication ) A
gsave
newpath
179.8 -488.7 M
32.9921875 0 RL
stroke
grestore
2.42936206 0 32 0 0 (method) A
[/Rect [81.71875 -490.350128 213.800781 -478.250122] /Subtype /Link /Border [0 0 0] /Dest /118 /ANN pdfmark
2.42936206 0 32 0 0 ( [RFC2617] sends a plaintext password to a server) A
0 -500.8 M
5.24879789 0 32 0 0 (without any protection; the Digest method uses a hash function that suffers from simple) A
0 -514 M
(dictionary-based off-line attacks, and people have begun to think it is obsolete. ) S
0 -538.2 M
2.0703125 0 32 0 0 (The authentication method proposed in this document solves these problems, substitutes for these) A
0 -551.4 M
2.88867188 0 32 0 0 (existing methods, and serves as a long-term solution to Web authentication security. It has the) A
0 -564.6 M
(following main characteristics: ) S
11 -585.2 M
gsave
0 setgray
newpath
11.0 -585.170166 2.75 0 360 arc
closepath
fill
grestore
22 -588.8 M
0.244791672 0 32 0 0 (It provides "true" mutual authentication: in addition to assuring the server that the user knows the) A
22 -602 M
0.257324219 0 32 0 0 (password, it also assures the user that the server truly knows the user's encrypted password at the) A
22 -615.2 M
1.39375 0 32 0 0 (same time. This makes it impossible for fake website owners to persuade users that they have) A
22 -628.4 M
(authenticated with the original websites. ) S
11 -639 M
gsave
0 setgray
newpath
11.0 -638.970215 2.75 0 360 arc
closepath
fill
grestore
22 -642.6 M
0.953450501 0 32 0 0 (It uses only passwords as the user's credential: unlike public-key-based security algorithms, the) A
22 -655.8 M
0.600643396 0 32 0 0 (method does not rely on secret keys or other cryptographic data that have to be stored inside the) A
22 -669 M
2.08342624 0 32 0 0 (users' computers. The proposed method can be used as a drop-in replacement to the current) A
22 -669 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 3 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 4 4
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(authentication methods like Basic or Digest, while ensuring a much stronger level of security. ) S
11 -23.8 M
gsave
0 setgray
newpath
11.0 -23.77 2.75 0 360 arc
closepath
fill
grestore
22 -27.4 M
11 0 Nf
0.63671875 0 32 0 0 (It is secure: when the server fails to authenticate with a user, the protocol will not reveal any bit) A
22 -40.6 M
(of the user's ) S
(password.) S
0 -64.8 M
1.37447917 0 32 0 0 (Users can discriminate between true and fake Web servers using their own passwords by using the) A
0 -78 M
0.822395861 0 32 0 0 (proposed method. Even when a user inputs his/her password to a fake website owned by illegitimate) A
0 -91.2 M
0.0302083325 0 32 0 0 (phishers, the user will certainly notice that the authentication has failed. Phishers will not be successful) A
0 -104.4 M
1.67236328 0 32 0 0 (in their authentication attempts, even if they forward the received data from a user to a legitimate) A
0 -117.6 M
0.693014681 0 32 0 0 (server or vice versa. Users can input sensitive data to the web forms after confirming that the mutual) A
0 -130.8 M
(authentication has succeeded, without fear of phishing attacks. ) S
0 -155 M
2.42695308 0 32 0 0 (The document, along with ) A
gsave
newpath
127.9 -156.1 M
135.890625 0 RL
stroke
grestore
2.42695308 0 32 0 0 ([I-D.oiwa-http-auth-extension]) A
[/Rect [126.917969 -157.749985 264.808594 -145.649979] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
2.42695308 0 32 0 0 (, also proposes several extensions to the) A
0 -168.2 M
6.80902767 0 32 0 0 (current HTTP authentication framework, to replace current widely-used form-based Web) A
0 -181.4 M
(authentication. The extensions provided include: ) S
11 -202 M
gsave
0 setgray
newpath
11.0 -201.969986 2.75 0 360 arc
closepath
fill
grestore
22 -205.6 M
(Multi-host single authentication within an Internet domain ) S
(\() S
gsave
newpath
285.6 -206.7 M
41.2382812 0 RL
stroke
grestore
(Section\2405) S
[/Rect [284.59375 -208.349976 327.832031 -196.249969] /Subtype /Link /Border [0 0 0] /Dest /60 /ANN pdfmark
(\), ) S
11 -216.2 M
gsave
0 setgray
newpath
11.0 -216.169983 2.75 0 360 arc
closepath
fill
grestore
22 -219.8 M
(non-mandatory, optional authentication on HTTP ) S
(\() S
gsave
newpath
246.2 -220.9 M
41.2382812 0 RL
stroke
grestore
(Section\2408) S
[/Rect [245.199219 -222.549973 288.4375 -210.449966] /Subtype /Link /Border [0 0 0] /Dest /68 /ANN pdfmark
(\), ) S
11 -230.4 M
gsave
0 setgray
newpath
11.0 -230.36998 2.75 0 360 arc
closepath
fill
grestore
22 -234 M
(log out from both server and client side ) S
(\() S
gsave
newpath
201.6 -235.1 M
41.2382812 0 RL
stroke
grestore
(Section\2408) S
[/Rect [200.589844 -236.749969 243.828125 -224.649963] /Subtype /Link /Border [0 0 0] /Dest /68 /ANN pdfmark
(\), and ) S
11 -244.6 M
gsave
0 setgray
newpath
11.0 -244.569977 2.75 0 360 arc
closepath
fill
grestore
22 -248.2 M
(finer control for redirection depending on authentication status ) S
(\() S
gsave
newpath
304.2 -249.3 M
41.2382812 0 RL
stroke
grestore
(Section\2408) S
[/Rect [303.195312 -250.949966 346.433594 -238.84996] /Subtype /Link /Border [0 0 0] /Dest /68 /ANN pdfmark
(\).) S
0 -259.2 M
[/View [/XYZ -4 497.800049 null] /Dest /4 /DEST pdfmark
0 -259.2 M
[/View [/XYZ -4 497.800049 null] /Dest /5 /DEST pdfmark
0 -274.8 M
%%IncludeResource: font Times-Bold
13 2 Nf
(1.1.) S
[/View [/XYZ -4 497.800049 null] /Dest /158 /DEST pdfmark
( Relations to other ) S
(technologies) S
0 -281.3 M
[/View [/XYZ -4 475.700043 null] /Dest /6 /DEST pdfmark
0 -281.3 M
[/View [/XYZ -4 475.700043 null] /Dest /7 /DEST pdfmark
0 -300.8 M
13 2 Nf
(1.1.1.) S
[/View [/XYZ -4 471.800049 null] /Dest /159 /DEST pdfmark
( Technologies updated or superceded by this ) S
(proposal) S
0 -307.3 M
[/View [/XYZ -4 449.700043 null] /Dest /8 /DEST pdfmark
0 -307.3 M
[/View [/XYZ -4 449.700043 null] /Dest /9 /DEST pdfmark
0 -326.8 M
13 2 Nf
(1.1.1.1.) S
[/View [/XYZ -4 445.800049 null] /Dest /160 /DEST pdfmark
( HTTP Basic and Digest ) S
(authentication) S
0 -351 M
11 0 Nf
2.89603376 0 32 0 0 (The main purpose of this proposal is obviously updating the two existing HTTP authentication) A
0 -364.2 M
(methods, ) S
gsave
newpath
42.8 -365.3 M
45.8164062 0 RL
stroke
grestore
(Basic and ) S
gsave
newpath
88.6 -365.3 M
28.7109375 0 RL
stroke
grestore
(Digest) S
[/Rect [41.7695312 -366.949982 118.296875 -354.849976] /Subtype /Link /Border [0 0 0] /Dest /118 /ANN pdfmark
( [RFC2617]. ) S
0 -388.4 M
2.20419025 0 32 0 0 (HTTP Basic authentication, as its name suggests, provides very simple authentication mechanism) A
0 -401.6 M
1.05305994 0 32 0 0 (using plain-text password directly upon the HTTP transport. HTTP Digest authentication focuses on) A
0 -414.8 M
2.19791675 0 32 0 0 (mitigating the fundamental weakness of Basic authentication by using MD5-based hashing to the) A
0 -428 M
0.7734375 0 32 0 0 (authentication, but that has almost failed to deploy due to improper implementations, interoperability) A
0 -441.2 M
2.734375 0 32 0 0 (problems, and missing feature implementations before MD5 has deprecated by its cryptographic) A
0 -454.4 M
7.11328125 0 32 0 0 (weakness. Digest also has a fundamental problem that the server-side must posses a) A
0 -467.6 M
(password-equivalent to perform authentication, which increases risks of server-side data leakage. ) S
0 -478.6 M
[/View [/XYZ -4 278.399933 null] /Dest /10 /DEST pdfmark
0 -478.6 M
[/View [/XYZ -4 278.399933 null] /Dest /11 /DEST pdfmark
0 -494.2 M
13 2 Nf
(1.1.1.2.) S
[/View [/XYZ -4 278.399933 null] /Dest /161 /DEST pdfmark
( HTML Form ) S
(authentication) S
0 -518.4 M
11 0 Nf
0.0924479142 0 32 0 0 (Another aim of this protocol is \(at least\) partially replacing the HTML form authentication. Because of) A
0 -531.6 M
1.05566406 0 32 0 0 (inflexibility of the HTTP Basic authentication, recent Web applications tend to use application-level) A
0 -544.8 M
2.122159 0 32 0 0 (implementations for user authentication using HTML Forms and Web browser rendering engines.) A
0 -558 M
4.28665876 0 32 0 0 (However, that method has many potential security weaknesses as same as the HTTP Basic) A
0 -571.2 M
0.533203125 0 32 0 0 (authentication as it uses plaintext. Considering server-impersonations and existence of human-forging) A
0 -584.4 M
0.318181813 0 32 0 0 (rogue servers \(i.e. phishing\), script-based implementations of hash-based authentication does not help,) A
0 -597.6 M
2.97025251 0 32 0 0 (because its behavior is completely controlled by the web-page content itself, which is possibly) A
0 -610.8 M
1.921875 0 32 0 0 (provided by such a rogue server. This also closes any possibilities for extending HTML forms to) A
0 -624 M
2.88834643 0 32 0 0 (implement cryptography, as its user-interface could not be prevented from being imitated using) A
0 -637.2 M
0.233593747 0 32 0 0 (plain-text forms. Using HTTP-level authentication is better in this field, because it is under the control) A
0 -650.4 M
5.99902344 0 32 0 0 (of the client software \(Web browsers\), which can enforce security checks regardless of) A
0 -663.6 M
(server-provided contents. ) S
0 -663.6 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 4 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 5 5
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
3.04241061 0 32 0 0 (Of course, we could not ignore the strong reasons of favoring Form authentication over Basic) A
0 -26.4 M
1.95987213 0 32 0 0 (authentication: its flexibility. HTTP authentication framework lacks many features for recent Web) A
0 -39.6 M
4.48681641 0 32 0 0 (applications, mainly for interactions between HTTP-level authentications and application-level) A
0 -52.8 M
5.19843769 0 32 0 0 (management of "authentication sessions". As long as current HTTP-layer \(and lower-layer\)) A
0 -66 M
1.1072917 0 32 0 0 (authentication are used, the new method would share the same problem. To solve this problem, this) A
0 -79.2 M
1.64160156 0 32 0 0 (protocol has a companion mechanism for application-level control of authentication behaviors as ) A
gsave
newpath
449.1 -80.3 M
4.8828125 0 RL
stroke
grestore
1.64160156 0 32 0 0 (a) A
[/Rect [448.105469 -81.95 454.988281 -69.85] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
0 -92.4 M
gsave
newpath
0 -93.5 M
39.9444427 0 RL
stroke
grestore
1.17100692 0 32 0 0 (separate ) A
gsave
newpath
39.9 -93.5 M
20.7578125 0 RL
stroke
grestore
1.17100692 0 32 0 0 (draft) A
[/Rect [-1.0 -95.1499939 61.6992188 -83.0499954] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
1.17100692 0 32 0 0 ( [I-D.oiwa-http-auth-extension]. By using this additional mechanism, Web applications) A
0 -105.6 M
1.74270833 0 32 0 0 (can implement most of these required features as easy as just calling an already-provided API for) A
0 -118.8 M
(them. ) S
0 -129.8 M
[/View [/XYZ -4 627.2 null] /Dest /12 /DEST pdfmark
0 -129.8 M
[/View [/XYZ -4 627.2 null] /Dest /13 /DEST pdfmark
0 -145.4 M
%%IncludeResource: font Times-Bold
13 2 Nf
(1.1.2.) S
[/View [/XYZ -4 627.2 null] /Dest /162 /DEST pdfmark
( Technologies not updated by this ) S
(proposal) S
0 -151.9 M
[/View [/XYZ -4 605.1 null] /Dest /14 /DEST pdfmark
0 -151.9 M
[/View [/XYZ -4 605.1 null] /Dest /15 /DEST pdfmark
0 -171.4 M
13 2 Nf
(1.1.2.1.) S
[/View [/XYZ -4 601.2 null] /Dest /163 /DEST pdfmark
( Federated identity/authorization ) S
(management) S
0 -195.6 M
11 0 Nf
10.7777777 0 32 0 0 (There are several technologies \(protocols, frameworks, or systems\) for managing) A
0 -208.8 M
0.421875 0 32 0 0 (authentications/authorizations involving multiple-parties: some of those examples are OAuth, OpenID) A
0 -222 M
4.28938818 0 32 0 0 (Connect, SAML etc. These technologies can be further divided to two categories: federated) A
0 -235.2 M
(authentication and authorization delegation, although some of these technologies cover both. ) S
0 -259.4 M
0.953125 0 32 0 0 (Federated authentication provides so-called "three-legged authentication": provided the result of user) A
0 -272.6 M
0.424665183 0 32 0 0 (authentication to a single entity \(identity provider\) and the user's consent, the mechanism can provide) A
0 -285.8 M
1.35096157 0 32 0 0 (other entities assertion of the user's identity without performing a separate identity management by) A
0 -299 M
0.296596 0 32 0 0 (every entity. Authorization delegation gives a mechanism for transferring a part of the user's privilege) A
0 -312.2 M
0.845833361 0 32 0 0 (on an entity \(resource owners\) to another entity without requiring users give away the full credential) A
0 -325.4 M
(for the authentication. ) S
0 -349.6 M
4.26100874 0 32 0 0 (Essentially, both of those technologies are transforming a result of conventional, one-by-one) A
0 -362.8 M
0.010516827 0 32 0 0 (\(two-legged\) authentication into a multi-party privilege management. The purpose of this protocol is to) A
0 -376 M
0.0280761719 0 32 0 0 (secure the very part of the two-legged authentication, and so it can be naturally combined with existing) A
0 -389.2 M
(federated management frameworks for increasing security of the entire system. ) S
0 -413.4 M
5.568892 0 32 0 0 (Additionally, this protocol can provide a secure peer-to-peer shared key generated during) A
0 -426.6 M
1.34825718 0 32 0 0 (authentication to the higher-layer applications ) A
gsave
newpath
211.7 -427.7 M
46.7382812 0 RL
stroke
grestore
1.34825718 0 32 0 0 (Section\24012) A
[/Rect [210.667969 -429.350128 259.40625 -417.250122] /Subtype /Link /Border [0 0 0] /Dest /81 /ANN pdfmark
1.34825718 0 32 0 0 (. These keys can be possibly used by such) A
0 -439.8 M
(federating mechanisms in future for simplifying/securing the framework. ) S
0 -450.8 M
[/View [/XYZ -4 306.19986 null] /Dest /16 /DEST pdfmark
0 -450.8 M
[/View [/XYZ -4 306.19986 null] /Dest /17 /DEST pdfmark
0 -466.4 M
13 2 Nf
(1.1.2.2.) S
[/View [/XYZ -4 306.19986 null] /Dest /164 /DEST pdfmark
( HTTPS and HTTPS client-certificate ) S
(authentication) S
0 -490.6 M
11 0 Nf
2.608073 0 32 0 0 (This protocol will not replace the wide-spread and widely-accepted technology of SSL/TLS and) A
0 -503.8 M
2.01147461 0 32 0 0 (HTTPS. This protocol will still relying on the HTTPS for the integrity and secrecy of the HTTP) A
0 -517 M
1.3984375 0 32 0 0 (payload. This protocol ensures users the integrity and secrecy of the authentication credentials, and) A
0 -530.2 M
(authenticity of the talking peer server. ) S
0 -554.4 M
2.76796865 0 32 0 0 (Client certificate \(and other public-key-based\) authentications have a fair-amount of applications) A
0 -567.6 M
1.79190338 0 32 0 0 (\(mainly for high-assurance applications\), and there are possible needs for redesigning/updating the) A
0 -580.8 M
0.0234375 0 32 0 0 (whole framework. However, currently public-key-based user-authentication and connection-based user) A
0 -594 M
(identification is out-of-scope of this proposal. ) S
0 -605 M
[/View [/XYZ -4 151.999756 null] /Dest /18 /DEST pdfmark
0 -605 M
[/View [/XYZ -4 151.999756 null] /Dest /19 /DEST pdfmark
0 -605 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 5 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 6 6
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -15.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(1.1.2.3.) S
[/View [/XYZ -4 757.0 null] /Dest /165 /DEST pdfmark
( Relationship with local identity-management ) S
(frameworks) S
0 -39.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.435997605 0 32 0 0 (There are several existing frameworks for managing user identity of tightly-managed, closed group of) A
0 -53 M
0.498697907 0 32 0 0 (users, such as Kerberos etc. Some of these have defined a bridging protocol for HTTP authentication.) A
0 -66.2 M
(This protocol does not currently aim to replace such existing frameworks. ) S
0 -90.4 M
4.6264205 0 32 0 0 (More precisely, requirements for those framework and usual Web user authentication differ) A
0 -103.6 M
3.06730771 0 32 0 0 (fundamentally. In such framework, user authentication in performed first, and the result of the) A
0 -116.8 M
3.5357573 0 32 0 0 (authentication tends to be shared in all applications, sometimes even shared regardless of the) A
0 -130 M
0.957490802 0 32 0 0 (underlying protocols. In those systems, it is almost never likely to use a multiple identity to be used) A
0 -143.2 M
2.45239258 0 32 0 0 (inside a single server and inside a single client machine at the same time. In such applications,) A
0 -156.4 M
0.579687476 0 32 0 0 (connection-based or even a machine-based authentication can be used without a trouble. This is not a) A
0 -169.6 M
(case for the general Web authentication applications. ) S
0 -180.6 M
[/View [/XYZ -4 576.4 null] /Dest /20 /DEST pdfmark
0 -180.6 M
[/View [/XYZ -4 576.4 null] /Dest /21 /DEST pdfmark
0 -196.2 M
13 2 Nf
(1.1.2.4.) S
[/View [/XYZ -4 576.4 null] /Dest /166 /DEST pdfmark
( HTTP and HTTP authentication ) S
(architecture) S
0 -220.4 M
11 0 Nf
2.70987225 0 32 0 0 (Although HTTP and generic HTTP authentication architecture lacks some required features \(see) A
0 -233.6 M
0.73046875 0 32 0 0 (above\), the whole structure of per-request, per-resource authentication is well-suited for general Web) A
0 -246.8 M
7.66210938 0 32 0 0 (applications compared with connection-based or machine-based authentication/authorization) A
0 -260 M
1.29799104 0 32 0 0 (framework \(those which tie user identity to either connections or machines\). The whole protocol in) A
0 -273.2 M
0.0348557681 0 32 0 0 (this specification is designed on top of the framework of ) A
gsave
newpath
251.4 -274.3 M
110.84375 0 RL
stroke
grestore
0.0348557681 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [250.371094 -275.95 363.214844 -263.85] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
0.0348557681 0 32 0 0 (. Small extensions to) A
0 -286.4 M
0.710582376 0 32 0 0 (the framework in this specification and ) A
gsave
newpath
178.9 -287.5 M
135.890625 0 RL
stroke
grestore
0.710582376 0 32 0 0 ([I-D.oiwa-http-auth-extension]) A
[/Rect [177.933594 -289.150024 315.824219 -277.050018] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
0.710582376 0 32 0 0 (, which are designed for filling) A
0 -299.6 M
0.143310547 0 32 0 0 (the missing features, are carefully designed so that it can be implemented easily only by the client-side) A
0 -312.8 M
(without changing the whole framework. ) S
0 -323.8 M
[/View [/XYZ -4 433.199951 null] /Dest /22 /DEST pdfmark
0 -323.8 M
[/View [/XYZ -4 433.199951 null] /Dest /23 /DEST pdfmark
0 -339.4 M
13 2 Nf
(1.2.) S
[/View [/XYZ -4 433.199951 null] /Dest /167 /DEST pdfmark
( ) S
(Terminology) S
0 -363.6 M
11 0 Nf
2.37011719 0 32 0 0 (The key words "MUST", "MUST\240NOT", "REQUIRED", "SHALL", "SHALL\240NOT", "SHOULD",) A
0 -376.8 M
1.49739587 0 32 0 0 ("SHOULD\240NOT", "RECOMMENDED", "NOT\240RECOMMENDED", "MAY", and "OPTIONAL" in) A
0 -390 M
(this document are to be interpreted as described in ) S
gsave
newpath
223.9 -391.1 M
50.1054688 0 RL
stroke
grestore
([RFC2119]) S
[/Rect [222.863281 -392.750092 274.96875 -380.650085] /Subtype /Link /Border [0 0 0] /Dest /108 /ANN pdfmark
(.) S
0 -414.2 M
6.61002588 0 32 0 0 (The terms "encouraged" and "advised" are used for suggestions that do not constitute) A
0 -427.4 M
3.4172585 0 32 0 0 ("SHOULD"-level requirements. People MAY freely choose not to include the suggested items) A
0 -440.6 M
0.508091509 0 32 0 0 (regarding ) A
gsave
newpath
45.4 -441.7 M
50.1054688 0 RL
stroke
grestore
0.508091509 0 32 0 0 ([RFC2119]) A
[/Rect [44.3984375 -443.350128 96.5039062 -431.250122] /Subtype /Link /Border [0 0 0] /Dest /108 /ANN pdfmark
0.508091509 0 32 0 0 (, but complying with those suggestions would be a best practice; it will improve) A
0 -453.8 M
(the security, interoperability, and/or operational ) S
(performance.) S
0 -478 M
0.310302734 0 32 0 0 (This document distinguishes the terms "client" and "user" in the following way: A "client" is an entity) A
0 -491.2 M
0.23401989 0 32 0 0 (understanding and talking HTTP and the specified authentication protocol, usually computer software;) A
0 -504.4 M
(a "user" is a \(usually natural\) person who wants to access data resources using "a ) S
(client".) S
0 -528.6 M
2.9309895 0 32 0 0 (The term "natural numbers" refers to the non-negative integers \(including zero\) throughout this ) A
0 -541.8 M
(document.) S
0 -566 M
3.25270438 0 32 0 0 (This document treats target \(codomain\) of hash functions to be natural numbers. The notation) A
0 -579.2 M
(OCTETS\(H\(s\)\) gives a usual octet-string output of hash function H applied to string ) S
(s.) S
0 -590.2 M
[/View [/XYZ -4 166.799805 null] /Dest /24 /DEST pdfmark
0 -590.2 M
[/View [/XYZ -4 166.799805 null] /Dest /25 /DEST pdfmark
0 -605.8 M
13 2 Nf
(1.3.) S
[/View [/XYZ -4 166.799805 null] /Dest /168 /DEST pdfmark
( Document Structure and Related ) S
(Documents) S
0 -630 M
11 0 Nf
(The entire document is organized as follows: ) S
0 -630 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 6 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 7 7
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -9.6 M
gsave
0 setgray
newpath
11.0 -9.57000065 2.75 0 360 arc
closepath
fill
grestore
22 -13.2 M
gsave
newpath
22 -14.3 M
41.2382812 0 RL
stroke
grestore
%%IncludeResource: font Times-Roman
11 0 Nf
(Section\2402) S
[/Rect [21.0 -15.9500008 64.2382812 -3.85000038] /Subtype /Link /Border [0 0 0] /Dest /26 /ANN pdfmark
( presents an overview of the protocol design. ) S
11 -23.8 M
gsave
0 setgray
newpath
11.0 -23.77 2.75 0 360 arc
closepath
fill
grestore
22 -27.4 M
3.48737979 0 32 0 0 (Sections ) A
gsave
newpath
65.5 -28.5 M
5.5 0 RL
stroke
grestore
3.48737979 0 32 0 0 (3) A
[/Rect [64.5 -30.1500015 72.0 -18.0500011] /Subtype /Link /Border [0 0 0] /Dest /36 /ANN pdfmark
3.48737979 0 32 0 0 ( to ) A
gsave
newpath
92 -28.5 M
11.0 0 RL
stroke
grestore
3.48737979 0 32 0 0 (10) A
[/Rect [91.0234375 -30.1500015 104.023438 -18.0500011] /Subtype /Link /Border [0 0 0] /Dest /73 /ANN pdfmark
3.48737979 0 32 0 0 ( define a general framework of the Mutual authentication protocol. This) A
22 -40.6 M
(framework is independent of specific cryptographic primitives. ) S
11 -51.2 M
gsave
0 setgray
newpath
11.0 -51.170002 2.75 0 360 arc
closepath
fill
grestore
22 -54.8 M
gsave
newpath
22 -55.9 M
46.7382812 0 RL
stroke
grestore
2.85351562 0 32 0 0 (Section\24011) A
[/Rect [21.0 -57.5500031 69.7382812 -45.4500046] /Subtype /Link /Border [0 0 0] /Dest /75 /ANN pdfmark
2.85351562 0 32 0 0 ( describes properties needed for cryptographic algorithms used with this protocol) A
22 -68 M
3.65201831 0 32 0 0 (framework, and defines a few functions which will be shared among such cryptographic) A
22 -81.2 M
(algorithms. ) S
11 -91.8 M
gsave
0 setgray
newpath
11.0 -91.77 2.75 0 360 arc
closepath
fill
grestore
22 -95.4 M
(The sections after that contain general normative and informative information about the protocol. ) S
11 -106 M
gsave
0 setgray
newpath
11.0 -105.969994 2.75 0 360 arc
closepath
fill
grestore
22 -109.6 M
(The appendices contain some information that may help developers to implement the ) S
(protocol.) S
0 -133.8 M
(In addition, there are two companion documents which are referred from/related to this specification: ) S
11 -154.4 M
gsave
0 setgray
newpath
11.0 -154.37 2.75 0 360 arc
closepath
fill
grestore
22 -158 M
gsave
newpath
22 -159.1 M
143.222656 0 RL
stroke
grestore
0.778515637 0 32 0 0 ([I-D.oiwa-http-mutualauth-algo]) A
[/Rect [21.0 -160.749985 166.222656 -148.649979] /Subtype /Link /Border [0 0 0] /Dest /107 /ANN pdfmark
0.778515637 0 32 0 0 (: defines a cryptographic primitives which can be used with this) A
22 -171.2 M
0.678222656 0 32 0 0 (protocol framework. [draft note: it is separated so that it may be replaced with another crypto in) A
22 -184.4 M
(future. We need at least one example for testing/implementing this protocol, so here it is.] ) S
11 -195 M
gsave
0 setgray
newpath
11.0 -194.969986 2.75 0 360 arc
closepath
fill
grestore
22 -198.6 M
gsave
newpath
22 -199.7 M
135.890625 0 RL
stroke
grestore
3.71054697 0 32 0 0 ([I-D.oiwa-http-auth-extension]) A
[/Rect [21.0 -201.349976 158.890625 -189.249969] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
3.71054697 0 32 0 0 (: defines a small but useful extensions to the current HTTP) A
22 -211.8 M
2.5951705 0 32 0 0 (authentication framework so that it can support application-level semantics of existing Web ) A
22 -225 M
(systems.) S
0 -236 M
[/View [/XYZ -4 521.0 null] /Dest /26 /DEST pdfmark
0 -236 M
[/View [/XYZ -4 521.0 null] /Dest /27 /DEST pdfmark
0 -255 M
%%IncludeResource: font Times-Bold
15 2 Nf
(2.) S
[/View [/XYZ -4 520.0 null] /Dest /169 /DEST pdfmark
( Protocol ) S
(Overview) S
0 -279.2 M
11 0 Nf
6.85909605 0 32 0 0 (The protocol, as a whole, is designed as a natural extension to the ) A
gsave
newpath
380.2 -280.3 M
37.101284 0 RL
stroke
grestore
6.85909605 0 32 0 0 (HTTP ) A
gsave
newpath
417.3 -280.3 M
36.6523438 0 RL
stroke
grestore
6.85909605 0 32 0 0 (protocol) A
[/Rect [379.199219 -281.949982 454.949219 -269.849976] /Subtype /Link /Border [0 0 0] /Dest /104 /ANN pdfmark
0 -292.4 M
0.330078125 0 32 0 0 ([I-D.ietf-httpbis-p1-messaging] using a framework defined in ) A
gsave
newpath
275.3 -293.5 M
110.84375 0 RL
stroke
grestore
0.330078125 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [274.296875 -295.15 387.140625 -283.05] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
0.330078125 0 32 0 0 (. Internally, the) A
0 -305.6 M
0.908691406 0 32 0 0 (server and the client will first perform a cryptographic key exchange, using the secret password as a) A
0 -318.8 M
0.269775391 0 32 0 0 ("tweak" to the exchange. The key-exchange will only succeed when the secrets used by the both peers) A
0 -332 M
3.06891751 0 32 0 0 (are correctly related \(i.e. generated from the same password\). Then, both peers will verify the) A
0 -345.2 M
0.948939741 0 32 0 0 (authentication results by confirming the sharing of the exchanged key. This section describes a brief) A
0 -358.4 M
(image of the protocol and the exchanged messages. ) S
0 -369.4 M
[/View [/XYZ -4 387.599945 null] /Dest /28 /DEST pdfmark
0 -369.4 M
[/View [/XYZ -4 387.599945 null] /Dest /29 /DEST pdfmark
0 -385 M
13 2 Nf
(2.1.) S
[/View [/XYZ -4 387.599945 null] /Dest /170 /DEST pdfmark
( Messages ) S
(Overview) S
0 -409.2 M
11 0 Nf
1.71647131 0 32 0 0 (The authentication protocol uses seven kinds of messages to perform mutual authentication. These) A
0 -422.4 M
(messages have specific names within this specification. ) S
11 -443 M
gsave
0 setgray
newpath
11.0 -442.970093 2.75 0 360 arc
closepath
fill
grestore
22 -446.6 M
4.54166651 0 32 0 0 (Authentication request messages: used by the servers to request clients to start mutual) A
22 -459.8 M
(authentication. ) S
33 -470.4 M
gsave
0 setgray
newpath
33.0 -470.370117 2.75 0 360 arc
closepath
stroke
grestore
44 -474 M
0.213281244 0 32 0 0 (401-INIT message: a general message to start the authentication protocol. It is also used as a) A
44 -487.2 M
(message indicating an authentication failure. ) S
33 -497.8 M
gsave
0 setgray
newpath
33.0 -497.770142 2.75 0 360 arc
closepath
stroke
grestore
44 -501.4 M
4.9625 0 32 0 0 (200-Optional-INIT message: a variant of the 401-INIT message indicating that an) A
44 -514.6 M
(authentication is not mandatory. ) S
33 -525.2 M
gsave
0 setgray
newpath
33.0 -525.170166 2.75 0 360 arc
closepath
stroke
grestore
44 -528.8 M
(401-STALE message: a message indicating that it has to start a new authentication ) S
(trial.) S
11 -539.4 M
gsave
0 setgray
newpath
11.0 -539.370178 2.75 0 360 arc
closepath
fill
grestore
22 -543 M
2.14908862 0 32 0 0 (Authenticated key exchange messages: used by both peers to perform authentication and the) A
22 -556.2 M
(sharing of a cryptographic secret. ) S
33 -566.8 M
gsave
0 setgray
newpath
33.0 -566.770203 2.75 0 360 arc
closepath
stroke
grestore
44 -570.4 M
(req-KEX-C1 message: a message sent from the client. ) S
33 -581 M
gsave
0 setgray
newpath
33.0 -580.970215 2.75 0 360 arc
closepath
stroke
grestore
44 -584.6 M
2.43149042 0 32 0 0 (401-KEX-S1 message: a message sent from the server as a response to a req-KEX-C1 ) A
44 -597.8 M
(message.) S
11 -608.4 M
gsave
0 setgray
newpath
11.0 -608.370239 2.75 0 360 arc
closepath
fill
grestore
22 -612 M
(Authentication verification messages: used by both peers to verify the authentication results. ) S
33 -622.6 M
gsave
0 setgray
newpath
33.0 -622.570251 2.75 0 360 arc
closepath
stroke
grestore
44 -626.2 M
1.00488281 0 32 0 0 (req-VFY-C message: a message used by the client, requesting that the server authenticates) A
44 -639.4 M
(and authorizes the client. ) S
33 -650 M
gsave
0 setgray
newpath
33.0 -649.970276 2.75 0 360 arc
closepath
stroke
grestore
44 -653.6 M
1.27854562 0 32 0 0 (200-VFY-S message: a successful response used by the server, and also asserting that the) A
44 -666.8 M
(server is authentic to the client ) S
(simultaneously.) S
0 -666.8 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 7 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 8 8
%%PageResources: font Times-Roman Times-Bold Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.87706804 0 32 0 0 (In addition to the above, either a request or a response without any HTTP headers related to this) A
0 -26.4 M
(specification will be hereafter called a "normal request" or a "normal response", respectively. ) S
0 -37.4 M
[/View [/XYZ -4 719.6 null] /Dest /30 /DEST pdfmark
0 -37.4 M
[/View [/XYZ -4 719.6 null] /Dest /31 /DEST pdfmark
0 -53 M
%%IncludeResource: font Times-Bold
13 2 Nf
(2.2.) S
[/View [/XYZ -4 719.6 null] /Dest /171 /DEST pdfmark
( Typical Flows of the ) S
(Protocol) S
0 -77.2 M
11 0 Nf
0.602294922 0 32 0 0 (In typical cases, the client access to a resource protected by the Mutual authentication will follow the) A
0 -90.4 M
(following protocol ) S
(sequence.) S
0 -101.4 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -112.4 M
[/View [/XYZ -4 644.6 null] /Dest /32 /DEST pdfmark
0 -123.2 M
%%IncludeResource: font Courier
9.0 4 Nf
( Client Server) S
0 -134 M
( | |) S
0 -144.8 M
( | ---- \(1\) normal request ---------> |) S
0 -155.6 M
( GET / HTTP/1.1 |) S
0 -166.4 M
( | |) S
0 -177.2 M
( | <---------------- \(2\) 401-INIT --- |) S
0 -188 M
( | 401 Authentication Required) S
0 -198.8 M
( | WWW-Authenticate: Mutual realm="a realm") S
0 -209.6 M
( | |) S
0 -220.4 M
([user, | |) S
0 -231.2 M
( pass]-->| |) S
0 -242 M
( | ---- \(3\) req-KEX-C1 -------------> |) S
0 -252.8 M
( GET / HTTP/1.1 |) S
0 -263.6 M
( Authorization: Mutual user="john", |--> [user DB]) S
0 -274.4 M
( kc1="...", ... |<-- [user info]) S
0 -285.2 M
( | |) S
0 -296 M
( | <-------------- \(4\) 401-KEX-S1 --- |) S
0 -306.8 M
( | 401 Authentication Required) S
0 -317.6 M
( | WWW-Authenticate: Mutual sid=..., ks1="...", ...) S
0 -328.4 M
( | |) S
0 -339.2 M
( [compute] \(5\) compute session secret [compute]) S
0 -350 M
( | |) S
0 -360.8 M
( | |) S
0 -371.6 M
( | ---- \(6\) req-VFY-C --------------> |) S
0 -382.4 M
( GET / HTTP/1.1 |--> [verify \(6\)]) S
0 -393.2 M
( Authorization: Mutual sid=..., |<-- OK) S
0 -404 M
( vkc="...", ... |) S
0 -414.8 M
( | |) S
0 -425.6 M
( | <--------------- \(7\) 200-VFY-S --- |) S
0 -436.4 M
([verify | 200 OK |) S
0 -447.2 M
( \(7\)]<--| Authentication-Info: Mutual vks="...") S
0 -458 M
( | |) S
0 -468.8 M
( v v) S
119.2 -491.7 M
7.63889 2 Nf
(\240Figure\2401: Typical communication flow for first access to ) S
(resource\240) S
0 -505.6 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
11 -526.2 M
gsave
0 setgray
newpath
11.0 -526.218445 2.75 0 360 arc
closepath
fill
grestore
22 -529.8 M
11 0 Nf
1.02026367 0 32 0 0 (As usual in general HTTP protocol designs, a client will at first request a resource without any) A
22 -543 M
0.176682696 0 32 0 0 (authentication attempt \(1\). If the requested resource is protected by the Mutual authentication, the) A
22 -556.2 M
(server will respond with a message requesting authentication \(401-INIT\) \(2\). ) S
11 -566.8 M
gsave
0 setgray
newpath
11.0 -566.818481 2.75 0 360 arc
closepath
fill
grestore
22 -570.4 M
0.360814154 0 32 0 0 (The client processes the body of the message, and waits for the user to input the user name and a) A
22 -583.6 M
0.0629595593 0 32 0 0 (password. If the user name and the password are available, the client will send a message with the) A
22 -596.8 M
(authenticated key exchange \(req-KEX-C1\) to start the authentication \(3\). ) S
11 -607.4 M
gsave
0 setgray
newpath
11.0 -607.418518 2.75 0 360 arc
closepath
fill
grestore
22 -611 M
1.08203125 0 32 0 0 (If the server has received a req-KEX-C1 message, the server looks up the user's authentication) A
22 -624.2 M
1.34291291 0 32 0 0 (information within its user database. Then the server creates a new session identifier \(sid\) that) A
22 -637.4 M
1.33616734 0 32 0 0 (will be used to identify sets of the messages that follow it, and responds back with a message) A
22 -650.6 M
(containing a server-side authenticated key exchange value \(401-KEX-S1\) \(4\). ) S
11 -661.2 M
gsave
0 setgray
newpath
11.0 -661.218567 2.75 0 360 arc
closepath
fill
grestore
22 -664.8 M
0.421630859 0 32 0 0 (At this point \(5\), both peers calculate a shared "session secret" using the exchanged values in the) A
22 -664.8 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 8 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 9 9
%%PageResources: font Times-Roman Times-Bold Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.29827011 0 32 0 0 (key exchange messages. Only when both the server and the client have used secret credentials) A
22 -13.2 M
0.997528613 0.997528613 scale
0.0 -13.2 RM
11 0 Nf
(generated from the same password will the session secret values match. This session secret will be) S
1.00247753 1.00247753 scale
22 -39.6 M
(used for the actual access authentication after this point. ) S
11 -50.1 M
gsave
0 setgray
newpath
11.0 -50.1373825 2.75 0 360 arc
closepath
fill
grestore
22 -53.8 M
0.013521635 0 32 0 0 (The client will send a request with a client-side authentication verification value \(req-VFY-C\) \(6\),) A
22 -53.8 M
0.980312526 0.980312526 scale
0.0 -13.2 RM
(generated from the client-owned session secret. The server will check the validity of the verification) S
1.02008283 1.02008283 scale
22 -79.9 M
(value using its own session secret. ) S
11 -90.5 M
gsave
0 setgray
newpath
11.0 -90.4775162 2.75 0 360 arc
closepath
fill
grestore
22 -94.1 M
2.69614959 0 32 0 0 (If the authentication verification value from the client was correct, it means that the client) A
22 -107.3 M
2.45572925 0 32 0 0 (definitely owns the credential based on the expected password \(i.e. the client authentication) A
22 -107.3 M
0.955752254 0.955752254 scale
0.0 -13.2 RM
(succeeded.\) The server will respond with a successful message \(200-VFY-S\) \(7\). Contrary to the usual) S
1.04629624 1.04629624 scale
22 -119.9 M
0.974087059 0.974087059 scale
0.0 -13.2 RM
(one-way authentication \(e.g. HTTP Basic authentication or POP APOP authentication\), this message) S
1.02660227 1.02660227 scale
22 -146 M
(also contains a server-side authentication verification value. ) S
22 -159.2 M
1.8483665 0 32 0 0 (When the client's verification value is incorrect \(e.g.\240because the user-supplied password was) A
22 -159.2 M
0.986442089 0.986442089 scale
0.0 -13.2 RM
(incorrect\), the server will respond with the 401-INIT message \(the same one as used in \(2\)\) instead. ) S
1.01374424 1.01374424 scale
11 -182.8 M
gsave
0 setgray
newpath
11.0 -182.77243 2.75 0 360 arc
closepath
fill
grestore
22 -186.4 M
2.40625 0 32 0 0 (The client MUST first check the validity of the server-side authentication verification value) A
22 -199.6 M
0.162841797 0 32 0 0 (contained in the message \(7\). If the value was equal to the expected one, the server authentication) A
22 -212.8 M
(succeeded. ) S
22 -226 M
0.90625 0 32 0 0 (If it is not the value expected, or if the message does not contain the authentication verification) A
22 -226 M
0.96025 0.96025 scale
0.0 -13.2 RM
(value, it means that the mutual authentication has been broken for some unexpected reason. The client) S
1.04139543 1.04139543 scale
22 -238.7 M
0.996737421 0.996737421 scale
0.0 -13.2 RM
(MUST\240NOT process any body or header values contained in this case. \(Note: This case should not) S
1.00327325 1.00327325 scale
22 -265 M
(happen between a correctly-implemented server and a client.\) ) S
0 -276 M
[/View [/XYZ -4 480.965332 null] /Dest /33 /DEST pdfmark
0 -276 M
[/View [/XYZ -4 480.965332 null] /Dest /34 /DEST pdfmark
0 -291.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(2.3.) S
[/View [/XYZ -4 480.965332 null] /Dest /172 /DEST pdfmark
( Alternative ) S
(Flows) S
0 -315.8 M
11 0 Nf
0.0571986623 0 32 0 0 (As shown above, the typical flow for a first authenticated request requires three request-response pairs.) A
0 -329 M
1.75330532 0 32 0 0 (To reduce the protocol overhead, the protocol enables several short-cut flows which require fewer ) A
0 -342.2 M
(messages.) S
11 -362.8 M
gsave
0 setgray
newpath
11.0 -362.804718 2.75 0 360 arc
closepath
fill
grestore
22 -366.4 M
1.51855469 0 32 0 0 (\(case A\) If the client knows that the resource is likely to require the authentication, the client) A
22 -379.6 M
4.54199219 0 32 0 0 (MAY omit the first unauthenticated request \(1\) and immediately send a key exchange) A
22 -392.8 M
(\(req-KEX-C1 message\). This will reduce one round-trip of messages. ) S
11 -403.4 M
gsave
0 setgray
newpath
11.0 -403.404755 2.75 0 360 arc
closepath
fill
grestore
22 -407 M
0.099724263 0 32 0 0 (\(case B\) If both the client and the server previously shared a session secret associated with a valid) A
22 -420.2 M
1.46664667 0 32 0 0 (session identifier \(sid\), the client MAY directly send a req-VFY-C message using the existing) A
22 -433.4 M
1.87076819 0 32 0 0 (session identifier and corresponding session secret. This will further reduce one round-trip of) A
22 -446.6 M
(messages. ) S
22 -459.8 M
0.028645834 0 32 0 0 (In such cases, the server MAY have thrown out the corresponding sessions from the session table.) A
22 -473 M
0.558854163 0 32 0 0 (In this case, the server will respond with a 401-STALE message, indicating a new key exchange) A
22 -486.2 M
(is required. The client SHOULD retry constructing a req-KEX-C1 message in this case. ) S
0 -510.4 M
gsave
newpath
0 -511.5 M
36.9609375 0 RL
stroke
grestore
6.4268465 0 32 0 0 (Figure\2402) A
[/Rect [-1.0 -513.184814 37.9609375 -501.084839] /Subtype /Link /Border [0 0 0] /Dest /35 /ANN pdfmark
6.4268465 0 32 0 0 ( depicts the shortcut flows described above. Under the appropriate settings and) A
0 -523.6 M
0.0473632812 0 32 0 0 (implementations, most of the requests to resources are expected to meet both the criteria, and thus only) A
0 -536.8 M
(one round-trip of request/responses will be required in most cases. ) S
0 -547.8 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -558.8 M
[/View [/XYZ -4 198.165161 null] /Dest /35 /DEST pdfmark
0 -569.6 M
%%IncludeResource: font Courier
9.0 4 Nf
( \(A\) omit first request) S
0 -580.4 M
( \(2 round trips\)) S
0 -602 M
( Client Server) S
0 -612.8 M
( | |) S
0 -623.6 M
( | --- req-KEX-C1 ----> |) S
0 -634.4 M
( | |) S
0 -645.2 M
( | <---- 401-KEX-S1 --- |) S
0 -656 M
( | |) S
0 -666.8 M
( | ---- req-VFY-C ----> |) S
0 -666.8 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 9 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 10 10
%%PageResources: font Times-Roman Times-Bold Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -10.8 M
%%IncludeResource: font Courier
9.0 4 Nf
( | |) S
0 -21.6 M
9.0 4 Nf
( | <----- 200-VFY-S --- |) S
0 -32.4 M
( | |) S
0 -64.8 M
( \(B\) reusing session secret) S
0 -86.4 M
( \(B-1\) key available \(B-2\) key expired) S
0 -97.2 M
( \(1 round trip\) \(3 round trips\)) S
0 -118.8 M
( Client Server Client Server) S
0 -129.6 M
( | | | |) S
0 -140.4 M
( | ---- req-VFY-C ----> | | --- req-VFY-C -------> |) S
0 -151.2 M
( | | | |) S
0 -162 M
( | <----- 200-VFY-S --- | | <------- 401-STALE --- |) S
0 -172.8 M
( | | | |) S
0 -183.6 M
( | --- req-KEX-C1 ------> |) S
0 -194.4 M
( | |) S
0 -205.2 M
( | <------ 401-KEX-S1 --- |) S
0 -216 M
( | |) S
0 -226.8 M
( | --- req-VFY-C -------> |) S
0 -237.6 M
( | |) S
0 -248.4 M
( | <------- 200-VFY-S --- |) S
0 -259.2 M
( | |) S
149.6 -282.1 M
%%IncludeResource: font Times-Bold
7.63889 2 Nf
(\240Figure\2402: Several alternative flows on ) S
(protocol\240) S
0 -296 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -320.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(For more details, see Sections ) S
gsave
newpath
134.4 -321.3 M
5.5 0 RL
stroke
grestore
(9) S
[/Rect [133.386719 -322.998657 140.886719 -310.898651] /Subtype /Link /Border [0 0 0] /Dest /70 /ANN pdfmark
( and ) S
gsave
newpath
161.3 -321.3 M
11.0 0 RL
stroke
grestore
(10) S
[/Rect [160.269531 -322.998657 173.269531 -310.898651] /Subtype /Link /Border [0 0 0] /Dest /73 /ANN pdfmark
(. ) S
0 -331.2 M
[/View [/XYZ -4 425.751343 null] /Dest /36 /DEST pdfmark
0 -331.2 M
[/View [/XYZ -4 425.751343 null] /Dest /37 /DEST pdfmark
0 -350.2 M
15 2 Nf
(3.) S
[/View [/XYZ -4 424.751343 null] /Dest /173 /DEST pdfmark
( Message ) S
(Syntax) S
0 -374.4 M
11 0 Nf
0.806490362 0 32 0 0 (Throughout this specification, The syntax is denoted in the extended augmented BNF syntax defined) A
0 -387.6 M
5.54730892 0 32 0 0 (in ) A
gsave
newpath
16.9 -388.7 M
138.335938 0 RL
stroke
grestore
5.54730892 0 32 0 0 ([I-D.ietf-httpbis-p1-messaging]) A
[/Rect [15.8515625 -390.398682 156.1875 -378.298676] /Subtype /Link /Border [0 0 0] /Dest /104 /ANN pdfmark
5.54730892 0 32 0 0 ( and ) A
gsave
newpath
187.7 -388.7 M
50.1054688 0 RL
stroke
grestore
5.54730892 0 32 0 0 ([RFC5234]) A
[/Rect [186.664062 -390.398682 238.769531 -378.298676] /Subtype /Link /Border [0 0 0] /Dest /112 /ANN pdfmark
5.54730892 0 32 0 0 (. The following elements are quoted from ) A
0 -400.8 M
gsave
newpath
0 -401.9 M
50.1054688 0 RL
stroke
grestore
4.91210938 0 32 0 0 ([RFC5234]) A
[/Rect [-1.0 -403.598694 51.1054688 -391.498688] /Subtype /Link /Border [0 0 0] /Dest /112 /ANN pdfmark
4.91210938 0 32 0 0 (, ) A
gsave
newpath
60.5 -401.9 M
138.335938 0 RL
stroke
grestore
4.91210938 0 32 0 0 ([I-D.ietf-httpbis-p1-messaging]) A
[/Rect [59.515625 -403.598694 199.851562 -391.498688] /Subtype /Link /Border [0 0 0] /Dest /104 /ANN pdfmark
4.91210938 0 32 0 0 ( and ) A
gsave
newpath
230.1 -401.9 M
110.84375 0 RL
stroke
grestore
4.91210938 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [229.054688 -403.598694 341.898438 -391.498688] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
4.91210938 0 32 0 0 (: DIGIT, ALPHA, SP,) A
0 -414 M
(auth-scheme, quoted-string, auth-param, header-field, token, challenge, and ) S
(credential.) S
0 -438.2 M
0.708451688 0 32 0 0 (The Mutual authentication protocol uses three headers: WWW-Authenticate \(in responses with status) A
0 -451.4 M
1.15722656 0 32 0 0 (code 401\), Authorization \(in requests\), and Authentication-Info \(in responses other than 401 status\).) A
0 -464.6 M
3.01210928 0 32 0 0 (These headers follow a common framework described in ) A
gsave
newpath
277 -465.7 M
110.84375 0 RL
stroke
grestore
3.01210928 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [275.964844 -467.398743 388.808594 -455.298737] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
3.01210928 0 32 0 0 (. The detailed) A
0 -477.8 M
(meanings for these headers are contained in ) S
gsave
newpath
195.1 -478.9 M
41.2382812 0 RL
stroke
grestore
(Section\2404) S
[/Rect [194.144531 -480.598755 237.382812 -468.498749] /Subtype /Link /Border [0 0 0] /Dest /48 /ANN pdfmark
(. ) S
0 -502 M
1.70039058 0 32 0 0 (The framework in ) A
gsave
newpath
87.2 -503.1 M
110.84375 0 RL
stroke
grestore
1.70039058 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [86.2460938 -504.798767 199.089844 -492.698761] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
1.70039058 0 32 0 0 ( defines the syntax for the headers WWW-Authenticate) A
0 -515.2 M
5.98007822 0 32 0 0 (and Authorization as the syntax elements "challenge" and "credentials", respectively. The) A
0 -528.4 M
0.879261374 0 32 0 0 ("auth-scheme" contained in those headers MUST be "Mutual" throughout this protocol specification.) A
0 -541.6 M
1.36077011 0 32 0 0 (The syntax for "challenge" and "credentials" to be used with the "Mutual" auth-scheme SHALL be) A
0 -554.8 M
(name-value pairs \(#auth-param\), not the "b64token" defined in ) S
gsave
newpath
279.3 -555.9 M
110.84375 0 RL
stroke
grestore
([I-D.ietf-httpbis-p7-auth]) S
[/Rect [278.257812 -557.598816 391.101562 -545.49884] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
(. ) S
0 -579 M
1.66741073 0 32 0 0 (The Authentication-Info: header used in this protocol SHALL contain the value in same syntax as) A
0 -592.2 M
(those the "WWW-Authenticate" header, i.e. the "challenge" syntax element. ) S
0 -616.4 M
5.98366499 0 32 0 0 (In HTTP, the WWW-Authenticate header may contain more than one challenges. Client) A
0 -629.6 M
(implementations SHOULD be aware of and be capable of handle those cases correctly. ) S
0 -629.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 10 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 11 11
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /38 /DEST pdfmark
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /39 /DEST pdfmark
0 -15.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(3.1.) S
[/View [/XYZ -4 757.0 null] /Dest /174 /DEST pdfmark
( ) S
(Values) S
0 -39.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.18489587 0 32 0 0 (The parameter values contained in challenge/credentials MUST be parsed strictly conforming to the) A
0 -53 M
0.739483178 0 32 0 0 (HTTP semantics \(especially un-quoting of the string parameter values\). In this protocol, those values) A
0 -66.2 M
0.370768219 0 32 0 0 (are further categorized into the following value types: tokens \(bare-token and extensive-token\), string,) A
0 -79.4 M
(integer, hex-fixed-number, and ) S
(base64-fixed-number.) S
0 -103.6 M
2.53417969 0 32 0 0 (For clarity, implementations are encouraged to use the canonical representations specified in the) A
0 -116.8 M
2.45205975 0 32 0 0 (following subsections for sending values. Recipients SHOULD accept both quoted and unquoted) A
0 -130 M
(representations interchangeably as specified in ) S
(HTTP.) S
0 -141 M
[/View [/XYZ -4 616.0 null] /Dest /40 /DEST pdfmark
0 -141 M
[/View [/XYZ -4 616.0 null] /Dest /41 /DEST pdfmark
0 -156.6 M
13 2 Nf
(3.1.1.) S
[/View [/XYZ -4 616.0 null] /Dest /175 /DEST pdfmark
( ) S
(Tokens) S
0 -180.8 M
11 0 Nf
3.21623874 0 32 0 0 (For sustaining both security and extensibility at the same time, this protocol defines a stricter) A
0 -194 M
1.90324521 0 32 0 0 (sub-syntax for the "token" to be used. The extensive-token values SHOULD follow the following) A
0 -207.2 M
(syntax \(after HTTP value parsing\): ) S
0 -218.2 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -229.2 M
[/View [/XYZ -4 527.8 null] /Dest /42 /DEST pdfmark
0 -240 M
%%IncludeResource: font Courier
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(bare-token) S
9.0 4 Nf
( = 1*\() S
9.0 5 Nf
(DIGIT) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(ALPHA) S
9.0 4 Nf
( / "-" / "_"\)) S
0 -250.8 M
9.0 4 Nf
( ) S
9.0 5 Nf
(extension-token) S
9.0 4 Nf
( = "-" ) S
9.0 5 Nf
(bare-token) S
9.0 4 Nf
( 1*\("." ) S
9.0 5 Nf
(bare-token) S
9.0 4 Nf
(\)) S
0 -261.6 M
9.0 4 Nf
( ) S
9.0 5 Nf
(extensive-token) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(bare-token) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(extension-token) S
163 -284.5 M
7.63889 2 Nf
(\240Figure\2403: BNF syntax for token ) S
(values\240) S
0 -298.4 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -322.6 M
11 0 Nf
1.79459631 0 32 0 0 (The tokens \(bare-token and extension-token\) are case insensitive; Senders SHOULD send these in) A
0 -335.8 M
2.85787249 0 32 0 0 (lower-case, and receivers MUST accept both upper- and lower-cases. When tokens are used as) A
0 -349 M
(\(partial\) inputs to any hash or other mathematical functions, it MUST always be used in lower-case. ) S
0 -373.2 M
4.59314919 0 32 0 0 (Extensive-tokens are used in this protocol where the set of acceptable tokens may include) A
0 -386.4 M
6.2718749 0 32 0 0 (non-standard extensions. Any non-standard extensions of this protocol SHOULD use the) A
0 -399.6 M
1.95800781 0 32 0 0 (extension-tokens with format "-<bare-token>.<domain-name>", where <domain-name> is a validly) A
0 -412.8 M
(registered \(sub-\)domain name on the Internet owned by the party who defines the extensions. ) S
0 -437 M
0.296596 0 32 0 0 (Bare-tokens and extensive-tokens are also used for parameter names \(of course in the unquoted form\).) A
0 -450.2 M
(Requirements for using the extension-token for the parameter names are the same as the ) S
(above.) S
0 -474.4 M
(The canonical format for bare-tokens and tokens are unquoted ) S
(tokens.) S
0 -485.4 M
[/View [/XYZ -4 271.55127 null] /Dest /43 /DEST pdfmark
0 -485.4 M
[/View [/XYZ -4 271.55127 null] /Dest /44 /DEST pdfmark
0 -501 M
13 2 Nf
(3.1.2.) S
[/View [/XYZ -4 271.55127 null] /Dest /176 /DEST pdfmark
( ) S
(Strings) S
0 -525.2 M
11 0 Nf
2.47836542 0 32 0 0 (All character strings outside ASCII character sets MUST be encoded using the ) A
gsave
newpath
378.5 -526.3 M
35.1619606 0 RL
stroke
grestore
2.47836542 0 32 0 0 (UTF-8 ) A
gsave
newpath
413.7 -526.3 M
40.3203125 0 RL
stroke
grestore
2.47836542 0 32 0 0 (encoding) A
[/Rect [377.496094 -527.998718 454.976562 -515.898743] /Subtype /Link /Border [0 0 0] /Dest /109 /ANN pdfmark
0 -538.4 M
3.7858665 0 32 0 0 ([RFC3629] for the ) A
gsave
newpath
96 -539.5 M
114.27166 0 RL
stroke
grestore
3.7858665 0 32 0 0 (ISO 10646-1 character ) A
gsave
newpath
210.2 -539.5 M
12.2148438 0 RL
stroke
grestore
3.7858665 0 32 0 0 (set) A
[/Rect [94.96875 -541.19873 223.453125 -529.098755] /Subtype /Link /Border [0 0 0] /Dest /116 /ANN pdfmark
3.7858665 0 32 0 0 ( [ISO.10646-1.1993], without any leading BOM) A
0 -551.6 M
0.481670678 0 32 0 0 (characters. Both peers are RECOMMENDED to reject any invalid UTF-8 sequences that might cause) A
0 -564.8 M
3.49302459 0 32 0 0 (decoding ambiguities \(e.g., containing <"> in the second or later byte of the UTF-8 encoded) A
0 -578 M
(characters\). ) S
0 -602.2 M
1.0703125 0 32 0 0 (If strings are representing a domain name or URI that contains non-ASCII characters, the host parts) A
0 -615.4 M
0.763327181 0 32 0 0 (SHOULD be encoded as it is used in the HTTP protocol layer \(e.g.\240in a Host: header\); under current) A
0 -628.6 M
(standards it will be the one defined in ) S
gsave
newpath
168 -629.7 M
50.1054688 0 RL
stroke
grestore
([RFC5890]) S
[/Rect [166.988281 -631.398804 219.09375 -619.298828] /Subtype /Link /Border [0 0 0] /Dest /122 /ANN pdfmark
(. It SHOULD use lower-case ASCII characters. ) S
0 -628.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 11 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 12 12
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The canonical format for strings are ) S
(quoted-string.) S
0 -24.2 M
[/View [/XYZ -4 732.8 null] /Dest /45 /DEST pdfmark
0 -24.2 M
[/View [/XYZ -4 732.8 null] /Dest /46 /DEST pdfmark
0 -39.8 M
%%IncludeResource: font Times-Bold
13 2 Nf
(3.1.3.) S
[/View [/XYZ -4 732.8 null] /Dest /177 /DEST pdfmark
( ) S
(Numbers) S
0 -64 M
11 0 Nf
(The following syntax definitions gives a syntax for number-type ) S
(values:) S
0 -75 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -86 M
[/View [/XYZ -4 671.0 null] /Dest /47 /DEST pdfmark
0 -96.8 M
%%IncludeResource: font Courier
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(integer) S
9.0 4 Nf
( = "0" / \(%x31-39 *) S
9.0 5 Nf
(DIGIT) S
9.0 4 Nf
(\) ) S
9.0 5 Nf
(; no leading zeros) S
0 -107.6 M
9.0 4 Nf
( ) S
9.0 5 Nf
(hex-fixed-number) S
9.0 4 Nf
( = 1*\(2\() S
9.0 5 Nf
(DIGIT) S
9.0 4 Nf
( / %x41-46 / %x61-66\)\)) S
0 -118.4 M
9.0 4 Nf
( ) S
9.0 5 Nf
(base64-fixed-number) S
9.0 4 Nf
( = 1*\( ) S
9.0 5 Nf
(ALPHA) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(DIGIT) S
9.0 4 Nf
( /) S
0 -129.2 M
( "-" / "." / "_" / "~" / "+" / "/" \) *"=") S
160.8 -152.1 M
7.63889 2 Nf
(\240Figure\2404: BNF syntax for number ) S
(types\240) S
0 -166 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -190.2 M
11 0 Nf
1.88560271 0 32 0 0 (The syntax definition of the integers only allows representations that do not contain extra leading) A
0 -203.4 M
(zeros. ) S
0 -227.6 M
1.58864188 0 32 0 0 (The numbers represented as a hex-fixed-number MUST include an even number of characters \(i.e.) A
0 -240.8 M
0.469029 0 32 0 0 (multiples of eight bits\). Those values are case-insensitive, and SHOULD be sent in lower-case. When) A
0 -254 M
0.591947138 0 32 0 0 (these values are generated from any cryptographic values, they SHOULD have their "natural length":) A
0 -267.2 M
1.36547852 0 32 0 0 (if these are generated from a hash function, these lengths SHOULD correspond to the hash size; if) A
0 -280.4 M
0.540625 0 32 0 0 (these are representing elements of a mathematical set \(or group\), its lengths SHOULD be the shortest) A
0 -293.6 M
0.241727948 0 32 0 0 (for representing all the elements in the set. For example, any results of SHA-256 hash function will be) A
0 -306.8 M
1.38560271 0 32 0 0 (represented by 64 characters, and any elements in 2048-bit prime field \(modulo a 2048-bit integer\)) A
0 -320 M
1.62706804 0 32 0 0 (will be represented by 512 characters, regardless of how much 0's will be appear in front of such) A
0 -333.2 M
1.20849609 0 32 0 0 (representations. Session-identifiers and other non-cryptographically generated values are represented) A
0 -346.4 M
0.024522569 0 32 0 0 (in any \(even\) length determined by the side who generates it first, and the same length SHALL be used) A
0 -359.6 M
(throughout the all communications by both peers. ) S
0 -383.8 M
0.0600961521 0 32 0 0 (The numbers represented as base64-fixed-number SHALL be generated as follows: first, the number is) A
0 -397 M
3.04352689 0 32 0 0 (converted to a big-endian radix-256 binary representation as an octet string. The length of the) A
0 -410.2 M
0.965625 0 32 0 0 (representation is determined in the same way as mentioned above. Then, the string is encoded using ) A
0 -423.4 M
gsave
newpath
0 -424.5 M
64.2542572 0 RL
stroke
grestore
3.39595175 0 32 0 0 (the Base 64 ) A
gsave
newpath
64.2 -424.5 M
40.3203125 0 RL
stroke
grestore
3.39595175 0 32 0 0 (encoding) A
[/Rect [-1.0 -426.198761 105.570312 -414.098755] /Subtype /Link /Border [0 0 0] /Dest /111 /ANN pdfmark
3.39595175 0 32 0 0 ( [RFC4648] without any spaces and newlines. Implementations decoding) A
0 -436.6 M
3.34548616 0 32 0 0 (base64-fixed-number SHOULD reject any input data with invalid characters, excess/insufficient) A
0 -449.8 M
(paddings, or non-canonical pad bits \(See Sections 3.1 to 3.5 of ) S
gsave
newpath
278 -450.9 M
50.1054688 0 RL
stroke
grestore
([RFC4648]) S
[/Rect [276.964844 -452.598785 329.070312 -440.498779] /Subtype /Link /Border [0 0 0] /Dest /111 /ANN pdfmark
(\). ) S
0 -474 M
5.2320962 0 32 0 0 (The canonical format for integer and hex-fixed-number are unquoted tokens, and that for) A
0 -487.2 M
(base64-fixed-number is ) S
(quoted-string.) S
0 -498.2 M
[/View [/XYZ -4 258.75119 null] /Dest /48 /DEST pdfmark
0 -498.2 M
[/View [/XYZ -4 258.75119 null] /Dest /49 /DEST pdfmark
0 -517.2 M
15 2 Nf
(4.) S
[/View [/XYZ -4 257.751221 null] /Dest /178 /DEST pdfmark
( ) S
(Messages) S
0 -541.4 M
11 0 Nf
0.961914062 0 32 0 0 (In this section we define the seven kinds of messages used in the authentication protocol along with) A
0 -554.6 M
(the formats and requirements of the headers for each message. ) S
0 -578.8 M
(To determine which message are expected to be sent, see Sections ) S
gsave
newpath
293.8 -579.9 M
5.5 0 RL
stroke
grestore
(9) S
[/Rect [292.800781 -581.598816 300.300781 -569.49884] /Subtype /Link /Border [0 0 0] /Dest /70 /ANN pdfmark
( and ) S
gsave
newpath
320.7 -579.9 M
11.0 0 RL
stroke
grestore
(10) S
[/Rect [319.683594 -581.598816 332.683594 -569.49884] /Subtype /Link /Border [0 0 0] /Dest /73 /ANN pdfmark
(.) S
0 -603 M
2.9432292 0 32 0 0 (In the descriptions below, the type of allowable values for each header parameter is shown in) A
0 -616.2 M
1.64737213 0 32 0 0 (parenthesis after each parameter name. The "algorithm-determined" type means that the acceptable) A
0 -629.4 M
0.506167769 0 32 0 0 (value for the parameter is one of the types defined in ) A
gsave
newpath
240.4 -630.5 M
41.2382812 0 RL
stroke
grestore
0.506167769 0 32 0 0 (Section\2403) A
[/Rect [239.394531 -632.198853 282.632812 -620.098877] /Subtype /Link /Border [0 0 0] /Dest /36 /ANN pdfmark
0.506167769 0 32 0 0 (, and is determined by the value of the) A
0 -642.6 M
0.0465494804 0 32 0 0 ("algorithm" parameter. The parameters marked "mandatory" SHALL be contained in the message. The) A
0 -655.8 M
2.75292969 0 32 0 0 (parameters marked "non-mandatory" MAY either be contained or omitted in the message. Each) A
0 -669 M
(parameter SHALL appear in each headers exactly once at most. ) S
0 -669 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 12 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 13 13
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.927884638 0 32 0 0 (All credentials and challenges MAY contain any parameters not explicitly specified in the following) A
0 -26.4 M
0.14993991 0 32 0 0 (sections. Recipients who do not understand such parameters MUST silently ignore those. However, all) A
0 -39.6 M
(credentials and challenges MUST meet the following ) S
(criteria:) S
11 -60.2 M
gsave
0 setgray
newpath
11.0 -60.170002 2.75 0 360 arc
closepath
fill
grestore
22 -63.8 M
0.453683048 0 32 0 0 (For responses, the parameters "reason", any "ks*" \(where * stands for any decimal integers\), and) A
22 -77 M
0.408854157 0 32 0 0 ("vks" are mutually exclusive: any challenge MUST\240NOT contain two or more parameters among) A
22 -90.2 M
(them. They MUST\240NOT contain any "kc*" and "vkc" parameters. ) S
11 -100.8 M
gsave
0 setgray
newpath
11.0 -100.77 2.75 0 360 arc
closepath
fill
grestore
22 -104.4 M
2.22154021 0 32 0 0 (For requests, the parameters "kc*" \(where * stands for any decimal integers\), and "vks" are) A
22 -117.6 M
0.417317718 0 32 0 0 (mutually exclusive and any challenge MUST\240NOT contain two or more parameters among them.) A
22 -130.8 M
(They MUST\240NOT contain any "ks*" and "vks" parameters. ) S
0 -141.8 M
[/View [/XYZ -4 615.2 null] /Dest /50 /DEST pdfmark
0 -141.8 M
[/View [/XYZ -4 615.2 null] /Dest /51 /DEST pdfmark
0 -157.4 M
%%IncludeResource: font Times-Bold
13 2 Nf
(4.1.) S
[/View [/XYZ -4 615.2 null] /Dest /179 /DEST pdfmark
( 401-INIT and ) S
(401-STALE) S
0 -181.6 M
11 0 Nf
3.64950275 0 32 0 0 (Every 401-INIT or 401-STALE message SHALL be a valid HTTP 401-status \(Authentication) A
0 -194.8 M
9.42226601 0 32 0 0 (Required\) message containing one \(and only one: hereafter not explicitly noticed\)) A
0 -208 M
3.81523442 0 32 0 0 ("WWW-Authenticate" header containing a "reason" parameter in the challenge. The challenge) A
0 -221.2 M
1.52974761 0 32 0 0 (SHALL contain all of the parameters marked "mandatory" below, and MAY contain those marked) A
0 -234.4 M
("non-mandatory". ) S
11 -258.6 M
(version: ) S
33 -271.8 M
3.60546875 0 32 0 0 (\(mandatory extensive-token\) should be the token "-draft11" in this specification. The) A
33 -285 M
(behavior is undefined when other values are specified. ) S
11 -298.2 M
(algorithm: ) S
33 -311.4 M
1.87656248 0 32 0 0 (\(mandatory extensive-token\) specifies the authentication algorithm to be used. The value) A
33 -324.6 M
5.11406231 0 32 0 0 (MUST be one of the tokens specified in ) A
gsave
newpath
252.3 -325.7 M
143.222656 0 RL
stroke
grestore
5.11406231 0 32 0 0 ([I-D.oiwa-http-mutualauth-algo]) A
[/Rect [251.285156 -327.350037 396.507812 -315.250031] /Subtype /Link /Border [0 0 0] /Dest /107 /ANN pdfmark
5.11406231 0 32 0 0 ( or other) A
33 -337.8 M
(supplemental specification documentation. ) S
11 -351 M
(validation: ) S
33 -364.2 M
1.34339488 0 32 0 0 (\(mandatory extensive-token\) specifies the method of host validation. The value MUST be) A
33 -377.4 M
2.42818499 0 32 0 0 (one of the tokens described in ) A
gsave
newpath
181.9 -378.5 M
41.2382812 0 RL
stroke
grestore
2.42818499 0 32 0 0 (Section\2407) A
[/Rect [180.945312 -380.150085 224.183594 -368.050079] /Subtype /Link /Border [0 0 0] /Dest /66 /ANN pdfmark
2.42818499 0 32 0 0 (, or the tokens specified in other supplemental) A
33 -390.6 M
(specification documentation. ) S
11 -403.8 M
(auth-domain: ) S
33 -417 M
1.41015625 0 32 0 0 (\(non-mandatory string\) specifies the authentication domain, the set of hosts for which the) A
33 -430.2 M
0.424107134 0 32 0 0 (authentication credentials are valid. It MUST be one of the strings described in ) A
gsave
newpath
388.5 -431.3 M
41.2382812 0 RL
stroke
grestore
0.424107134 0 32 0 0 (Section\2405) A
[/Rect [387.488281 -432.950134 430.726562 -420.850128] /Subtype /Link /Border [0 0 0] /Dest /60 /ANN pdfmark
0.424107134 0 32 0 0 (. If) A
33 -443.4 M
(the value is omitted, it is assumed to be the "single-port" type domain in ) S
gsave
newpath
353.2 -444.5 M
41.2382812 0 RL
stroke
grestore
(Section\2405) S
[/Rect [352.230469 -446.150146 395.46875 -434.05014] /Subtype /Link /Border [0 0 0] /Dest /60 /ANN pdfmark
(. ) S
11 -456.6 M
(realm: ) S
33 -469.8 M
1.43652344 0 32 0 0 (\(mandatory string\) is a UTF-8 encoded string representing the name of the authentication) A
33 -483 M
0.594140649 0 32 0 0 (realm inside the authentication domain. As specified in ) A
gsave
newpath
283 -484.1 M
110.84375 0 RL
stroke
grestore
0.594140649 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [282.007812 -485.750183 394.851562 -473.650177] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
0.594140649 0 32 0 0 (, this value) A
33 -496.2 M
(MUST always be sent in the quoted-string form. ) S
11 -509.4 M
(pwd-hash: ) S
33 -522.6 M
1.1789062 0 32 0 0 (\(non-mandatory extensive-token\) specifies the hash algorithm \(hereafter referred to by ph\)) A
33 -535.8 M
(used for additionally hashing the password. The valid tokens are ) S
44 -546.4 M
gsave
0 setgray
newpath
44.0 -546.370239 2.75 0 360 arc
closepath
fill
grestore
55 -550 M
(none: ph\(p\) = p ) S
44 -560.6 M
gsave
0 setgray
newpath
44.0 -560.570251 2.75 0 360 arc
closepath
fill
grestore
55 -564.2 M
(md5: ph\(p\) = MD5\(p\) ) S
44 -574.8 M
gsave
0 setgray
newpath
44.0 -574.770264 2.75 0 360 arc
closepath
fill
grestore
55 -578.4 M
0.602050781 0 32 0 0 (digest-md5: ph\(p\) = MD5\(username | ":" | realm | ":" | p\), the same value as MD5\(A1\)) A
55 -591.6 M
(for "MD5" algorithm in ) S
gsave
newpath
162.3 -592.7 M
50.1054688 0 RL
stroke
grestore
([RFC2617]) S
[/Rect [161.324219 -594.350281 213.429688 -582.250305] /Subtype /Link /Border [0 0 0] /Dest /118 /ANN pdfmark
(. ) S
44 -602.2 M
gsave
0 setgray
newpath
44.0 -602.170288 2.75 0 360 arc
closepath
fill
grestore
55 -605.8 M
(sha1: ph\(p\) = ) S
(SHA1\(p\)) S
33 -619 M
(If omitted, the value "none" is assumed. The use of "none" is recommended. ) S
11 -632.2 M
(reason: ) S
33 -645.4 M
2.01649308 0 32 0 0 (\(mandatory extensive-token\) SHALL be an extensive-token which describes the possible) A
33 -658.6 M
5.58029509 0 32 0 0 (reason of the failed authentication/authorization. Both servers and clients SHALL) A
33 -671.8 M
(understand and support the following three tokens: ) S
55 -672.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 13 -) S
0 setgray
110 -8 M
grestore
pgsave restore N
%%Page: 14 14
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
44 -9.6 M
gsave
0 setgray
newpath
44.0 -9.57000065 2.75 0 360 arc
closepath
fill
grestore
55 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.28320312 0 32 0 0 (initial: authentication was not tried because there was no Authorization header in the) A
55 -26.4 M
(corresponding request. ) S
44 -37 M
gsave
0 setgray
newpath
44.0 -36.97 2.75 0 360 arc
closepath
fill
grestore
55 -40.6 M
0.923270106 0 32 0 0 (stale-session: the provided sid; in the request was either unknown to or expired in the) A
55 -53.8 M
(server. ) S
44 -64.4 M
gsave
0 setgray
newpath
44.0 -64.37 2.75 0 360 arc
closepath
fill
grestore
55 -68 M
3.45348 0 32 0 0 (auth-failed: authentication trial was failed by some reasons, possibly with a bad) A
55 -81.2 M
(authentication ) S
(credentials.) S
33 -94.4 M
0.13125 0 32 0 0 (Implementations MAY support the following tokens or any extensive-tokens defined outside) A
33 -107.6 M
0.362680286 0 32 0 0 (this specification. If clients has received any unknown tokens, these SHOULD treat these as) A
33 -120.8 M
(if it were "auth-failed" or "initial". ) S
44 -131.4 M
gsave
0 setgray
newpath
44.0 -131.37 2.75 0 360 arc
closepath
fill
grestore
55 -135 M
0.630642354 0 32 0 0 (reauth-needed: server-side application requires a new authentication trial, regardless of) A
55 -148.2 M
(the current status. ) S
44 -158.8 M
gsave
0 setgray
newpath
44.0 -158.769989 2.75 0 360 arc
closepath
fill
grestore
55 -162.4 M
1.23671877 0 32 0 0 (invalid-parameters: authentication was not even tried in the server-side because some) A
55 -175.6 M
(parameters are not acceptable. ) S
44 -186.2 M
gsave
0 setgray
newpath
44.0 -186.169983 2.75 0 360 arc
closepath
fill
grestore
55 -189.8 M
0.115559898 0 32 0 0 (internal-error: authentication was not even tried in the server-side because there is some) A
55 -203 M
(troubles on the server-side. ) S
44 -213.6 M
gsave
0 setgray
newpath
44.0 -213.569977 2.75 0 360 arc
closepath
fill
grestore
55 -217.2 M
0.7890625 0 32 0 0 (user-unknown: a special case of auth-failed, suggesting that the provided user-name is) A
55 -230.4 M
0.284765631 0 32 0 0 (invalid. The use of this parameter is NOT\240RECOMMENDED for security implications,) A
55 -243.6 M
(except for special-purpose applications which makes this value sense. ) S
44 -254.2 M
gsave
0 setgray
newpath
44.0 -254.169968 2.75 0 360 arc
closepath
fill
grestore
55 -257.8 M
4.96614599 0 32 0 0 (invalid-credential: ditto, suggesting that the provided user-name was valid but) A
55 -271 M
0.759943187 0 32 0 0 (authentication was failed. The use of this parameter is NOT\240RECOMMENDED as the) A
55 -284.2 M
(same as the ) S
(above.) S
0 -308.4 M
0.172135413 0 32 0 0 (The algorithm specified in this header will determine the types \(among those defined in ) A
gsave
newpath
390.3 -309.5 M
41.2382812 0 RL
stroke
grestore
0.172135413 0 32 0 0 (Section\2403) A
[/Rect [389.292969 -311.15 432.53125 -299.05] /Subtype /Link /Border [0 0 0] /Dest /36 /ANN pdfmark
0.172135413 0 32 0 0 (\) and) A
0 -321.6 M
11 0 Nf
(the values for ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( and ) S
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(. ) S
0.0 -2.2 RM
0 -348 M
2.94050479 0 32 0 0 (Among these messages, those with the reason parameter of value "stale-session" will be called) A
0 -361.2 M
3.44108081 0 32 0 0 ("401-STALE" messages hereafter, because these have a special meaning in the protocol flow.) A
0 -374.4 M
(Messages with any other reason parameters will be called "401-INIT" messages. ) S
0 -385.4 M
[/View [/XYZ -4 371.599976 null] /Dest /52 /DEST pdfmark
0 -385.4 M
[/View [/XYZ -4 371.599976 null] /Dest /53 /DEST pdfmark
0 -401 M
%%IncludeResource: font Times-Bold
13 2 Nf
(4.2.) S
[/View [/XYZ -4 371.599976 null] /Dest /180 /DEST pdfmark
( ) S
(req-KEX-C1) S
0 -425.2 M
11 0 Nf
0.384440094 0 32 0 0 (Every req-KEX-C1 message SHALL be a valid HTTP request message containing an "Authorization") A
0 -438.4 M
(header with a credential containing a "kc1" parameter. ) S
0 -462.6 M
(The credential SHALL contain the parameters with the following names: ) S
11 -486.8 M
(version: ) S
33 -500 M
3.33046865 0 32 0 0 (\(mandatory, extensive-token\) should be the token "-draft11" in this specification. The) A
33 -513.2 M
(behavior is undefined when other values are specified. ) S
11 -526.4 M
(algorithm, validation, auth-domain, realm: ) S
33 -539.6 M
(MUST be the same value as it is when received from the server. ) S
11 -552.8 M
(user: ) S
33 -566 M
0.581542969 0 32 0 0 (\(mandatory, string\) is the UTF-8 encoded name of the user. If this name comes from a user) A
33 -579.2 M
3.03476572 0 32 0 0 (input, client software SHOULD prepare the string using ) A
gsave
newpath
306.8 -580.3 M
46.4296875 0 RL
stroke
grestore
3.03476572 0 32 0 0 (SASLprep) A
[/Rect [305.78125 -581.950134 354.210938 -569.850159] /Subtype /Link /Border [0 0 0] /Dest /110 /ANN pdfmark
3.03476572 0 32 0 0 ( [RFC4013] before) A
33 -592.4 M
(encoding it to UTF-8. ) S
11 -605.6 M
(kc1: ) S
33 -618.8 M
11 0 Nf
2.62011719 0 32 0 0 (\(mandatory, algorithm-determined\) is the client-side key exchange value ) A
2.62011719 0 32 0 0 (K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.62011719 0 32 0 0 (c1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.62011719 0 32 0 0 (, which is) A
0.0 -2.2 RM
33 -634.2 M
(specified by the algorithm that is used. ) S
33 -634.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 14 -) S
0 setgray
22 -8 M
grestore
pgsave restore N
%%Page: 15 15
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(rekey-sid: ) S
33 -26.4 M
2.27392578 0 32 0 0 (\(non-mandatory, hex-fixed-number\): reserved for future extensions \(see rekey-method in) A
33 -39.6 M
("200-VFY-S" message\). ) S
0 -50.6 M
[/View [/XYZ -4 706.4 null] /Dest /54 /DEST pdfmark
0 -50.6 M
[/View [/XYZ -4 706.4 null] /Dest /55 /DEST pdfmark
0 -66.2 M
%%IncludeResource: font Times-Bold
13 2 Nf
(4.3.) S
[/View [/XYZ -4 706.4 null] /Dest /181 /DEST pdfmark
( ) S
(401-KEX-S1) S
0 -90.4 M
11 0 Nf
0.484019876 0 32 0 0 (Every 401-KEX-S1 message SHALL be a valid HTTP 401-status \(Authentication Required\) response) A
0 -103.6 M
(message containing a "WWW-Authenticate" header with a challenge containing a "ks1" parameter. ) S
0 -127.8 M
(The challenge SHALL contain the parameters with the following names: ) S
11 -152 M
(version: ) S
33 -165.2 M
3.33046865 0 32 0 0 (\(mandatory, extensive-token\) should be the token "-draft11" in this specification. The) A
33 -178.4 M
(behavior is undefined when other values are specified. ) S
11 -191.6 M
(algorithm, validation, auth-domain, realm: ) S
33 -204.8 M
(MUST be the same value as it is when received from the client. ) S
11 -218 M
(sid: ) S
33 -231.2 M
1.51171875 0 32 0 0 (\(mandatory, hex-fixed-number\) MUST be a session identifier, which is a random integer.) A
33 -244.4 M
0.197753906 0 32 0 0 (The sid SHOULD have uniqueness of at least 80 bits or the square of the maximal estimated) A
33 -257.6 M
1.4016335 0 32 0 0 (transactions concurrently available in the session table, whichever is larger. See ) A
gsave
newpath
401.7 -258.7 M
41.2382812 0 RL
stroke
grestore
1.4016335 0 32 0 0 (Section\2406) A
[/Rect [400.726562 -260.349976 443.964844 -248.249969] /Subtype /Link /Border [0 0 0] /Dest /64 /ANN pdfmark
33 -270.8 M
(for more details. ) S
11 -284 M
(ks1: ) S
33 -297.2 M
11 0 Nf
2.42285156 0 32 0 0 (\(mandatory, algorithm-determined\) is the server-side key exchange value ) A
2.42285156 0 32 0 0 (K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.42285156 0 32 0 0 (s1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.42285156 0 32 0 0 (, which is) A
0.0 -2.2 RM
33 -312.6 M
(specified by the algorithm. ) S
11 -325.8 M
(nc-max: ) S
33 -339 M
(\(mandatory, integer\) is the maximal value of nonce counts that the server accepts. ) S
11 -352.2 M
(nc-window: ) S
33 -365.4 M
1.72716343 0 32 0 0 (\(mandatory, integer\) the number of available nonce slots that the server will accept. The) A
33 -378.6 M
(value of the nc-window parameter is RECOMMENDED to be 32 or more. ) S
11 -391.8 M
(time: ) S
33 -405 M
0.670072138 0 32 0 0 (\(mandatory, integer\) represents the suggested time \(in seconds\) that the client can reuse the) A
33 -418.2 M
1.03662109 0 32 0 0 (session represented by the sid. It is RECOMMENDED to be at least 60. The value of this) A
33 -431.4 M
1.69947922 0 32 0 0 (parameter is not directly linked to the duration that the server keeps track of the session) A
33 -444.6 M
(represented by the sid. ) S
11 -457.8 M
(path: ) S
33 -471 M
1.61425781 0 32 0 0 (\(non-mandatory, string\) specifies which path in the URI space the same authentication is) A
33 -484.2 M
0.565716922 0 32 0 0 (expected to be applied. The value is a space-separated list of URIs, in the same format as it) A
33 -497.4 M
0.189453125 0 32 0 0 (was specified in domain parameter ) A
gsave
newpath
190 -498.5 M
50.1054688 0 RL
stroke
grestore
0.189453125 0 32 0 0 ([RFC2617]) A
[/Rect [188.992188 -500.150177 241.097656 -488.050171] /Subtype /Link /Border [0 0 0] /Dest /118 /ANN pdfmark
0.189453125 0 32 0 0 ( for the Digest authentications, and clients are) A
33 -510.6 M
0.442382812 0 32 0 0 (RECOMMENDED to recognize it. The all path elements contained in the parameter MUST) A
33 -523.8 M
(be inside the specified auth-domain: if not, clients SHOULD ignore such elements. ) S
0 -534.8 M
[/View [/XYZ -4 222.199829 null] /Dest /56 /DEST pdfmark
0 -534.8 M
[/View [/XYZ -4 222.199829 null] /Dest /57 /DEST pdfmark
0 -550.4 M
13 2 Nf
(4.4.) S
[/View [/XYZ -4 222.199829 null] /Dest /182 /DEST pdfmark
( ) S
(req-VFY-C) S
0 -574.6 M
11 0 Nf
0.893229187 0 32 0 0 (Every req-VFY-C message SHALL be a valid HTTP request message containing an "Authorization") A
0 -587.8 M
(header with a credential containing a "vkc" parameter. ) S
0 -612 M
(The parameters contained in the header are as follows: ) S
11 -636.2 M
(version: ) S
33 -649.4 M
3.33046865 0 32 0 0 (\(mandatory, extensive-token\) should be the token "-draft11" in this specification. The) A
33 -662.6 M
(behavior is undefined when other values are specified. ) S
33 -662.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 15 -) S
0 setgray
22 -8 M
grestore
pgsave restore N
%%Page: 16 16
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(algorithm, validation, auth-domain, realm: ) S
33 -26.4 M
(MUST be the same value as it is when received from the server for the session. ) S
11 -39.6 M
(sid: ) S
33 -52.8 M
0.903846145 0 32 0 0 (\(mandatory, hex-fixed-number\) MUST be one of the sid values that was received from the) A
33 -66 M
(server for the same authentication realm. ) S
11 -79.2 M
(nc: ) S
33 -92.4 M
0.10963542 0 32 0 0 (\(mandatory, integer\) is a nonce value that is unique among the requests sharing the same sid.) A
33 -105.6 M
(The values of the nonces SHOULD satisfy the properties outlined in ) S
gsave
newpath
336.9 -106.7 M
41.2382812 0 RL
stroke
grestore
(Section\2406) S
[/Rect [335.90625 -108.349991 379.144531 -96.2499924] /Subtype /Link /Border [0 0 0] /Dest /64 /ANN pdfmark
(. ) S
11 -118.8 M
(vkc: ) S
33 -132 M
11 0 Nf
0.822021484 0 32 0 0 (\(mandatory, algorithm-determined\) is the client-side authentication verification value ) A
0.822021484 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.822021484 0 32 0 0 (c) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.822021484 0 32 0 0 (,) A
0.0 -2.2 RM
33 -147.4 M
(which is specified by the algorithm. ) S
0 -158.4 M
[/View [/XYZ -4 598.600037 null] /Dest /58 /DEST pdfmark
0 -158.4 M
[/View [/XYZ -4 598.600037 null] /Dest /59 /DEST pdfmark
0 -174 M
%%IncludeResource: font Times-Bold
13 2 Nf
(4.5.) S
[/View [/XYZ -4 598.600037 null] /Dest /183 /DEST pdfmark
( ) S
(200-VFY-S) S
0 -198.2 M
11 0 Nf
0.923958361 0 32 0 0 (Every 200-VFY-S message SHALL be a valid HTTP message that is not of the 401 \(Authentication) A
0 -211.4 M
(Required\) status, containing an "Authentication-Info" header with a "vks" parameter. ) S
0 -235.6 M
(The parameters contained in the header are as follows: ) S
11 -259.8 M
(version: ) S
33 -273 M
3.33046865 0 32 0 0 (\(mandatory, extensive-token\) should be the token "-draft11" in this specification. The) A
33 -286.2 M
(behavior is undefined when other values are specified. ) S
11 -299.4 M
(sid: ) S
33 -312.6 M
(\(mandatory, hex-fixed-number\) MUST be the value received from the client. ) S
11 -325.8 M
(vks: ) S
33 -339 M
11 0 Nf
0.575439453 0 32 0 0 (\(mandatory, algorithm-determined\) is the server-side authentication verification value ) A
0.575439453 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.575439453 0 32 0 0 (s) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.575439453 0 32 0 0 (,) A
0.0 -2.2 RM
33 -354.4 M
(which is specified by the algorithm. ) S
11 -367.6 M
(logout-timeout: ) S
33 -380.8 M
0.801432312 0 32 0 0 (\(non-mandatory, integer\) is the number of seconds after which the client should re-validate) A
33 -394 M
0.992745519 0 32 0 0 (the user's password for the current authentication realm. The value 0 means that the client) A
33 -407.2 M
2.42534733 0 32 0 0 (SHOULD automatically forget the user-inputted password for the current authentication) A
33 -420.4 M
2.17897725 0 32 0 0 (realm and revert to the unauthenticated state \(i.e.\240server-initiated logout\). This does not,) A
33 -433.6 M
2.98893237 0 32 0 0 (however, mean that the long-term memories for the passwords \(such as the password) A
33 -446.8 M
1.15 0 32 0 0 (reminders and auto fill-ins\) should be removed. If a new timeout value is received for the) A
33 -460 M
1.41914058 0 32 0 0 (same authentication realm, it overrides the previous timeout. If logout-timeout parameters) A
33 -473.2 M
1.60312498 0 32 0 0 (are specified both in an Authentication-Info header and an Authentication-Control header ) A
33 -486.4 M
1.29882812 0 32 0 0 (\() A
gsave
newpath
36.7 -487.5 M
135.890625 0 RL
stroke
grestore
1.29882812 0 32 0 0 ([I-D.oiwa-http-auth-extension]) A
[/Rect [35.6601562 -489.150177 173.550781 -477.050171] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
1.29882812 0 32 0 0 (\), the client SHOULD respect the smaller one of those and) A
33 -499.6 M
(ignore the other. ) S
11 -512.8 M
(rekey-method: ) S
33 -526 M
3.68185759 0 32 0 0 (\(non-mandatory, extensive-token\): defining a credential used for reestablishing a new) A
33 -539.2 M
1.52709961 0 32 0 0 (session with a new sid. It must be either omitted or the token "passwords" at the current) A
33 -552.4 M
0.339409709 0 32 0 0 (specification. The bare-tokens "refresh-key" and "refresh-key-global" are reserved for future ) A
33 -565.6 M
(extensions.) S
0 -589.8 M
2.99080873 0 32 0 0 (The header MUST be sent before the content body: it MUST\240NOT be sent in the trailer of a) A
0 -603 M
6.90039062 0 32 0 0 (chunked-encoded response. If a "100 Continue" response is sent from the server, the) A
0 -616.2 M
(Authentication-Info header SHOULD be included in that response, instead of the final response. ) S
0 -627.2 M
[/View [/XYZ -4 129.799744 null] /Dest /60 /DEST pdfmark
0 -627.2 M
[/View [/XYZ -4 129.799744 null] /Dest /61 /DEST pdfmark
0 -628.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 16 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 17 17
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(5.) S
[/View [/XYZ -4 757.0 null] /Dest /184 /DEST pdfmark
( Authentication ) S
(Realms) S
0 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.740349293 0 32 0 0 (In this protocol, an "authentication realm" is defined as a set of resources \(URIs\) for which the same) A
0 -55.4 M
0.259033203 0 32 0 0 (set of user names and passwords is valid for. If the server requests authentication for an authentication) A
0 -68.6 M
4.71304083 0 32 0 0 (realm that the client is already authenticated for, the client will automatically perform the) A
0 -81.8 M
0.960582376 0 32 0 0 (authentication using the already-known secrets. However, for the different authentication realms, the) A
0 -95 M
(clients SHOULD\240NOT automatically reuse the usernames and passwords for another realm. ) S
0 -119.2 M
0.645833313 0 32 0 0 (Just like in Basic and Digest access authentication protocols, Mutual authentication protocol supports) A
0 -132.4 M
0.860491097 0 32 0 0 (multiple, separate protection spaces to be set up inside each host. Furthermore, the protocol supports) A
0 -145.6 M
(that a single authentication realm spans over several hosts within the same Internet domain. ) S
0 -169.8 M
0.777043283 0 32 0 0 (Each authentication realm is defined and distinguished by the triple of an "authentication algorithm",) A
0 -183 M
8.33554649 0 32 0 0 (an "authentication domain", and a "realm" parameter. However, server operators are) A
0 -196.2 M
1.16685271 0 32 0 0 (NOT\240RECOMMENDED to use the same pair of an authentication domain and a realm for different) A
0 -209.4 M
(authentication algorithms. ) S
0 -233.6 M
0.967708349 0 32 0 0 (The realm parameter is a string as defined in ) A
gsave
newpath
207.5 -234.7 M
41.2382812 0 RL
stroke
grestore
0.967708349 0 32 0 0 (Section\2404) A
[/Rect [206.488281 -236.349976 249.726562 -224.249969] /Subtype /Link /Border [0 0 0] /Dest /48 /ANN pdfmark
0.967708349 0 32 0 0 (. Authentication domains are described in the) A
0 -246.8 M
(remainder of this section. ) S
0 -271 M
0.457291663 0 32 0 0 (An authentication domain specifies the range of hosts that the authentication realm spans over. In this) A
0 -284.2 M
(protocol, it MUST be one of the following strings. ) S
11 -304.8 M
gsave
0 setgray
newpath
11.0 -304.77002 2.75 0 360 arc
closepath
fill
grestore
22 -308.4 M
0.881944418 0 32 0 0 (Single-server type: The string in format "<scheme>://<host>:<port>", where <scheme>, <host>,) A
22 -321.6 M
0.283447266 0 32 0 0 (and <port> are the corresponding URI parts of the request URI. Even if the request-URI does not) A
22 -334.8 M
1.56578946 0 32 0 0 (have a port part, the string will include one \(i.e. 80 for http and 443 for https\). The port part) A
22 -348 M
3.11523438 0 32 0 0 (MUST\240NOT contain leading zeros. Use this when authentication is only valid for specific) A
22 -361.2 M
(protocol \(such as https\). ) S
11 -371.8 M
gsave
0 setgray
newpath
11.0 -371.770081 2.75 0 360 arc
closepath
fill
grestore
22 -375.4 M
0.763950884 0 32 0 0 (Single-host type: The "host" part of the requested URI. This is the default value. Authentication) A
22 -388.6 M
1.22963166 0 32 0 0 (realms within this kind of authentication domain will span over several protocols \(i.e. http and) A
22 -401.8 M
(https\) and ports, but not over different hosts. ) S
11 -412.4 M
gsave
0 setgray
newpath
11.0 -412.370117 2.75 0 360 arc
closepath
fill
grestore
22 -416 M
1.58810759 0 32 0 0 (Wildcard-domain type: The string in format "*.<domain-postfix>", where <domain-postfix> is) A
22 -429.2 M
0.887408078 0 32 0 0 (either the host part of the requested URI or any domain in which the requested host is included) A
22 -442.4 M
0.577473938 0 32 0 0 (\(this means that the specification "*.example.com" is valid for all of hosts "www.example.com",) A
22 -455.6 M
2.15429688 0 32 0 0 ("web.example.com", "www.sales.example.com" and "example.com"\). The domain-postfix sent) A
22 -468.8 M
0.636948526 0 32 0 0 (from the servers MUST be equal to or included in a valid Internet domain assigned to a specific) A
22 -482 M
0.879743278 0 32 0 0 (organization: if clients know, by some means such as a blacklist for ) A
gsave
newpath
332.8 -483.1 M
31.1219311 0 RL
stroke
grestore
0.879743278 0 32 0 0 (HTTP ) A
gsave
newpath
363.9 -483.1 M
33.5976562 0 RL
stroke
grestore
0.879743278 0 32 0 0 (cookies) A
[/Rect [331.785156 -484.750183 398.503906 -472.650177] /Subtype /Link /Border [0 0 0] /Dest /124 /ANN pdfmark
0.879743278 0 32 0 0 ( [RFC6265],) A
22 -495.2 M
2.0979166 0 32 0 0 (that the specified domain is not to be assigned to any specific organization \(e.g. "*.com" or) A
22 -508.4 M
("*.jp"\), the clients are RECOMMENDED to reject the authentication request. ) S
0 -532.6 M
1.05524552 0 32 0 0 (In the above specifications, every "scheme", "host", and "domain" MUST be in lower-case, and any) A
0 -545.8 M
1.49278843 0 32 0 0 (internationalized domain names beyond the ASCII character set SHALL be represented in the way) A
0 -559 M
0.225360572 0 32 0 0 (they are sent in the underlying HTTP protocol, represented in lower-case characters; i.e.\240these SHALL) A
0 -572.2 M
0.202473953 0 32 0 0 (be in the form of the LDH labels in ) A
gsave
newpath
159.7 -573.3 M
27.484375 0 RL
stroke
grestore
0.202473953 0 32 0 0 (IDNA) A
[/Rect [158.699219 -574.950256 188.183594 -562.850281] /Subtype /Link /Border [0 0 0] /Dest /122 /ANN pdfmark
0.202473953 0 32 0 0 ( [RFC5890]. All "port"s MUST be in the shortest, unsigned,) A
0 -585.4 M
1.51399744 0 32 0 0 (decimal number notation. Not obeying these requirements will cause failure of valid authentication) A
0 -598.6 M
(attempts. ) S
0 -609.6 M
[/View [/XYZ -4 147.399719 null] /Dest /62 /DEST pdfmark
0 -609.6 M
[/View [/XYZ -4 147.399719 null] /Dest /63 /DEST pdfmark
0 -609.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 17 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 18 18
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -15.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(5.1.) S
[/View [/XYZ -4 757.0 null] /Dest /185 /DEST pdfmark
( Resolving ) S
(Ambiguities) S
0 -39.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
4.1350913 0 32 0 0 (In the above definitions of authentication domains, several domains will overlap each other.) A
0 -53 M
0.957331717 0 32 0 0 (Depending on the "path" parameters given in the "401-KEX-S1" message \(see ) A
gsave
newpath
358 -54.1 M
41.2382812 0 RL
stroke
grestore
0.957331717 0 32 0 0 (Section\2404) A
[/Rect [357.015625 -55.7500038 400.253906 -43.65] /Subtype /Link /Border [0 0 0] /Dest /48 /ANN pdfmark
0.957331717 0 32 0 0 (\), there may) A
0 -66.2 M
0.519010425 0 32 0 0 (be several candidates when the client is going to send a request including an authentication credential) A
0 -79.4 M
(\(Steps 3 and 4 of the decision procedure presented in ) S
gsave
newpath
235.8 -80.5 M
41.2382812 0 RL
stroke
grestore
(Section\2409) S
[/Rect [234.785156 -82.1500092 278.023438 -70.0500107] /Subtype /Link /Border [0 0 0] /Dest /70 /ANN pdfmark
(\). ) S
0 -103.6 M
(If such choices are required, the following procedure SHOULD be ) S
(followed.) S
11 -124.2 M
gsave
0 setgray
newpath
11.0 -124.170006 2.75 0 360 arc
closepath
fill
grestore
22 -127.8 M
0.296185672 0 32 0 0 (If the client has previously sent a request to the same URI, and if it remembers the authentication) A
22 -141 M
(realm requested by 401-INIT messages at that time, use that realm. ) S
11 -151.6 M
gsave
0 setgray
newpath
11.0 -151.57 2.75 0 360 arc
closepath
fill
grestore
22 -155.2 M
2.12535501 0 32 0 0 (In other cases, use one of authentication realms representing the most-specific authentication) A
22 -168.4 M
2.33503604 0 32 0 0 (domains. From the list of possible domain specifications shown above, each one earlier has) A
22 -181.6 M
(priority over ones described after that. ) S
22 -194.8 M
2.12860584 0 32 0 0 (If there are several choices with different domain-postfix specifications, the one that has the) A
22 -208 M
(longest domain-postfix has priority over ones with a shorter domain-postfix. ) S
11 -218.6 M
gsave
0 setgray
newpath
11.0 -218.569992 2.75 0 360 arc
closepath
fill
grestore
22 -222.2 M
1.19192708 0 32 0 0 (If there are realms with the same authentication domain, there is no defined priority: the client) A
22 -235.4 M
(MAY choose any one of the possible choices. ) S
0 -259.6 M
1.00641739 0 32 0 0 (If possible, server operators are encouraged to avoid such ambiguities by properly setting the "path") A
0 -272.8 M
(parameters. ) S
0 -283.8 M
[/View [/XYZ -4 473.2 null] /Dest /64 /DEST pdfmark
0 -283.8 M
[/View [/XYZ -4 473.2 null] /Dest /65 /DEST pdfmark
0 -302.8 M
15 2 Nf
(6.) S
[/View [/XYZ -4 472.2 null] /Dest /186 /DEST pdfmark
( Session ) S
(Management) S
0 -327 M
11 0 Nf
2.62304688 0 32 0 0 (In the Mutual authentication protocol, a session represented by an sid is set up using first four) A
0 -340.2 M
4.08842325 0 32 0 0 (messages \(first request, 401-INIT, req-KEX-C1 and 401-KEX-S1\), and a "session secret" \(z\)) A
0 -353.4 M
1.02656245 0 32 0 0 (associated with the session is established. After sharing a session secret, this session, along with the) A
0 -366.6 M
1.21571183 0 32 0 0 (secret, can be used for one or more requests for resources protected by the same realm in the same) A
0 -379.8 M
0.293887854 0 32 0 0 (server. Note that session management is only an inside detail of the protocol and usually not visible to) A
0 -393 M
1.39933896 0 32 0 0 (normal users. If a session expires, the client and server SHOULD automatically reestablish another) A
0 -406.2 M
(session without informing the users. ) S
0 -430.4 M
0.868896484 0 32 0 0 (Sessions and session identifiers are local to each server \(defined by scheme, host and port\) inside an) A
0 -443.6 M
1.94348955 0 32 0 0 (authentication domain; the clients MUST establish separate sessions for each port of a host to be) A
0 -456.8 M
1.84705532 0 32 0 0 (accessed. Furthermore, sessions and identifiers are also local to each authentication realm, even if) A
0 -470 M
0.690290153 0 32 0 0 (these are provided from the same servers. The same session identifiers provided either from different) A
0 -483.2 M
(servers or for different realms SHOULD be treated as independent ones. ) S
0 -507.4 M
1.07083333 0 32 0 0 (The server SHOULD accept at least one req-VFY-C request for each session, given that the request) A
0 -520.6 M
0.621875 0 32 0 0 (reaches the server in a time window specified by the timeout parameter in the 401-KEX-S1 message,) A
0 -533.8 M
0.423483461 0 32 0 0 (and that there are no emergent reasons \(such as flooding attacks\) to forget the sessions. After that, the) A
0 -547 M
0.0294270832 0 32 0 0 (server MAY discard any session at any time and MAY send 401-STALE messages for any req-VFY-C) A
0 -560.2 M
(requests. ) S
0 -584.4 M
0.78010112 0 32 0 0 (The client MAY send two or more requests using a single session specified by the sid. However, for) A
0 -597.6 M
3.39088535 0 32 0 0 (all such requests, each value of the nonce \(in the nc parameter\) MUST satisfy the following) A
0 -610.8 M
(conditions: ) S
11 -631.4 M
gsave
0 setgray
newpath
11.0 -631.370239 2.75 0 360 arc
closepath
fill
grestore
22 -635 M
(It is a natural number. ) S
11 -645.6 M
gsave
0 setgray
newpath
11.0 -645.570251 2.75 0 360 arc
closepath
fill
grestore
22 -649.2 M
(The same nonce was not sent within the same session. ) S
11 -659.8 M
gsave
0 setgray
newpath
11.0 -659.770264 2.75 0 360 arc
closepath
fill
grestore
22 -663.4 M
0.619574666 0 32 0 0 (It is not larger than the nc-max value that was sent from the server in the session represented by) A
22 -663.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 18 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 19 19
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(the sid. ) S
11 -23.8 M
gsave
0 setgray
newpath
11.0 -23.77 2.75 0 360 arc
closepath
fill
grestore
22 -27.4 M
11 0 Nf
0.374267578 0 32 0 0 (It is larger than \(largest-nc - nc-window\), where largest-nc is the maximal value of nc which was) A
22 -40.6 M
0.00807291642 0 32 0 0 (previously sent in the session, and nc-window is the value of the nc-window parameter which was) A
22 -53.8 M
(received from the server in the ) S
(session.) S
0 -78 M
1.14375 0 32 0 0 (The last condition allows servers to reject any nonce values that are "significantly" smaller than the) A
0 -91.2 M
0.0197610296 0 32 0 0 ("current" value \(defined by the value of nc-window\) of the nonce used in the session involved. In other) A
0 -104.4 M
2.6373198 0 32 0 0 (words, servers MAY treat such nonces as "already received". This restriction enables servers to) A
0 -117.6 M
(implement duplicated nonce detection in a constant amount of memory \(for each session\). ) S
0 -141.8 M
1.3338542 0 32 0 0 (Servers MUST check for duplication of the received nonces, and if any duplication is detected, the) A
0 -155 M
0.596819222 0 32 0 0 (server MUST discard the session and respond with a 401-STALE message, as outlined in ) A
gsave
newpath
404.5 -156.1 M
46.7382812 0 RL
stroke
grestore
0.596819222 0 32 0 0 (Section\24010) A
[/Rect [403.46875 -157.749985 452.207031 -145.649979] /Subtype /Link /Border [0 0 0] /Dest /73 /ANN pdfmark
0.596819222 0 32 0 0 (.) A
0 -168.2 M
1.84228516 0 32 0 0 (The server MAY also reject other invalid nonce values \(such as ones above the nc-max limit\) by) A
0 -181.4 M
(sending a 401-STALE message. ) S
0 -205.6 M
1.22886026 0 32 0 0 (For example, assume the nc-window value of the current session is 32, nc-max is 100, and that the) A
0 -218.8 M
1.6854167 0 32 0 0 (client has already used the following nonce values: {1-20, 22, 24, 30-38, 45-60, 63-72}. Then the) A
0 -232 M
0.115885414 0 32 0 0 (nonce values that can be used for next request is one of the following set: {41-44, 61-62, 73-100}. The) A
0 -245.2 M
0.100694448 0 32 0 0 (values {0, 21, 23, 25-29, 39-40} MAY be rejected by the server because they are not above the current) A
0 -258.4 M
("window limit" \(40 = 72 - 32\). ) S
0 -282.6 M
0.903320312 0 32 0 0 (Typically, clients can ensure the above property by using a monotonically-increasing integer counter) A
0 -295.8 M
(that counts from zero upto the value of nc-max. ) S
0 -320 M
1.04947913 0 32 0 0 (The values of the nonces and any nonce-related values MUST always be treated as natural numbers) A
0 -333.2 M
3.52695322 0 32 0 0 (within an infinite range. Implementations using fixed-width integers or fixed-precision floating) A
0 -346.4 M
4.87226582 0 32 0 0 (numbers MUST correctly and carefully handle integer overflows. Such implementations are) A
0 -359.6 M
1.16346157 0 32 0 0 (RECOMMENDED to accept any larger values that cannot be represented in the fixed-width integer) A
0 -372.8 M
0.185825899 0 32 0 0 (representations, as long as other limits such as internal header-length restrictions are not involved. The) A
0 -386 M
1.29140627 0 32 0 0 (protocol is designed carefully so that both the clients and servers can implement the protocol using) A
0 -399.2 M
(only fixed-width integers, by rounding any overflowed values to the maximum possible value. ) S
0 -410.2 M
[/View [/XYZ -4 346.799927 null] /Dest /66 /DEST pdfmark
0 -410.2 M
[/View [/XYZ -4 346.799927 null] /Dest /67 /DEST pdfmark
0 -429.2 M
%%IncludeResource: font Times-Bold
15 2 Nf
(7.) S
[/View [/XYZ -4 345.799927 null] /Dest /187 /DEST pdfmark
( Validation ) S
(Methods) S
0 -453.4 M
11 0 Nf
1.56730771 0 32 0 0 (The "validation method" specifies a method to "relate" the mutual authentication processed by this) A
0 -466.6 M
3.67773438 0 32 0 0 (protocol with other authentications already performed in the underlying layers and to prevent) A
0 -479.8 M
(man-in-the-middle attacks. It decides the value v that is an input to the authentication protocols. ) S
0 -504 M
(The valid tokens for the validation parameter and corresponding values of v are as follows: ) S
11 -528.2 M
(host: ) S
33 -541.4 M
3.60216355 0 32 0 0 (hostname validation: The value v will be the ASCII string in the following format:) A
33 -554.6 M
0.1796875 0 32 0 0 ("<scheme>://<host>:<port>", where <scheme>, <host>, and <port> are the URI components) A
33 -567.8 M
1.13378906 0 32 0 0 (corresponding to the currently accessing resource. The scheme and host are in lower-case,) A
33 -581 M
0.447509766 0 32 0 0 (and the port is in a shortest decimal representation. Even if the request-URI does not have a) A
33 -594.2 M
(port part, v will include one. ) S
11 -607.4 M
(tls-cert: ) S
33 -620.6 M
0.133501843 0 32 0 0 (TLS certificate validation: The value v will be the octet string of the hash value of the public) A
33 -633.8 M
0.572115362 0 32 0 0 (key certificate used in the underlying ) A
gsave
newpath
202.6 -634.9 M
19.5507812 0 RL
stroke
grestore
0.572115362 0 32 0 0 (TLS) A
[/Rect [201.5625 -636.550232 223.113281 -624.450256] /Subtype /Link /Border [0 0 0] /Dest /113 /ANN pdfmark
0.572115362 0 32 0 0 ( [RFC5246] \(or SSL\) connection. The hash value) A
33 -647 M
3.90564895 0 32 0 0 (is defined as the value of the entire signed certificate \(specified as "Certificate" in ) A
33 -660.2 M
gsave
newpath
33 -661.3 M
50.1054688 0 RL
stroke
grestore
([RFC5280]) S
[/Rect [32.0 -662.950256 84.1054688 -650.850281] /Subtype /Link /Border [0 0 0] /Dest /121 /ANN pdfmark
(\), hashed by the hash algorithm specified by the authentication algorithm used. ) S
33 -660.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 19 -) S
0 setgray
22 -8 M
grestore
pgsave restore N
%%Page: 20 20
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(tls-key: ) S
33 -26.4 M
0.926041663 0 32 0 0 (TLS shared-key validation: The value v will be the octet string of the shared master secret) A
33 -39.6 M
(negotiated in the underlying TLS \(or SSL\) ) S
(connection.) S
0 -63.8 M
0.083984375 0 32 0 0 (If the HTTP protocol is used on a non-encrypted channel \(TCP and SCTP, for example\), the validation) A
0 -77 M
0.153738841 0 32 0 0 (type MUST be "host". If ) A
gsave
newpath
111.8 -78.1 M
50.0976562 0 RL
stroke
grestore
0.153738841 0 32 0 0 (HTTP/TLS) A
[/Rect [110.753906 -79.75 162.851562 -67.65] /Subtype /Link /Border [0 0 0] /Dest /119 /ANN pdfmark
0.153738841 0 32 0 0 ( [RFC2818] \(HTTPS\) protocol is used with the server certificates,) A
0 -90.2 M
1.90807295 0 32 0 0 (the validation type MUST be either "tls-cert" or "tls-key". If HTTP/TLS protocol is used with an) A
0 -103.4 M
0.00210336549 0 32 0 0 (anonymous Diffie-Hellman key exchange, the validation type MUST be "tls-key" \(see the note below\). ) A
0 -127.6 M
1.08255208 0 32 0 0 (If the validation type "tls-cert" is used, the server certificate provided on TLS connection MUST be) A
0 -140.8 M
(verified to make sure that the server actually owns the corresponding secret key. ) S
0 -165 M
(Clients MUST validate this parameter upon reception of the 401-INIT messages. ) S
0 -189.2 M
2.49693084 0 32 0 0 (However, when the client is a Web browser with any scripting capabilities, the underlying TLS) A
0 -202.4 M
3.75260425 0 32 0 0 (channel used with HTTP/TLS MUST provide server identity verification. This means \(1\) the) A
0 -215.6 M
0.471028656 0 32 0 0 (anonymous Diffie-Hellman key exchange ciphersuite MUST\240NOT be used, and \(2\) the verification of) A
0 -228.8 M
(the server certificate provided from the server MUST be performed. ) S
0 -253 M
1.07728791 0 32 0 0 (For other systems, when the underlying TLS channel used with HTTP/TLS does not perform server) A
0 -266.2 M
0.773995519 0 32 0 0 (identity verification, the client SHOULD ensure that all the responses are validated using the Mutual) A
0 -279.4 M
(authentication protocol, regardless of the existence of the 401-INIT responses. ) S
0 -303.6 M
0.655413 0 32 0 0 (Note: The protocol defines two variants for validation on the TLS connections. The "tls-key" method) A
0 -316.8 M
(is more secure. However, there are some situations where tls-cert is more ) S
(preferable.) S
11 -337.4 M
gsave
0 setgray
newpath
11.0 -337.370026 2.75 0 360 arc
closepath
fill
grestore
22 -341 M
0.297135413 0 32 0 0 (When TLS accelerating proxies are used, it is difficult for the authenticating server to acquire the) A
22 -354.2 M
2.09099269 0 32 0 0 (TLS key information that is used between the client and the proxy. This is not the case for) A
22 -367.4 M
(client-side "tunneling" proxies using a CONNECT method extension of HTTP. ) S
11 -378 M
gsave
0 setgray
newpath
11.0 -377.970062 2.75 0 360 arc
closepath
fill
grestore
22 -381.6 M
(When a black-box implementation of the TLS protocol is used on either peer. ) S
0 -405.8 M
0.869673312 0 32 0 0 (Implementations supporting a Mutual authentication over the HTTPS protocol SHOULD support the) A
0 -419 M
("tls-cert" validation. Support for "tls-key" validation is OPTIONAL for both the servers and clients. ) S
0 -430 M
[/View [/XYZ -4 326.999908 null] /Dest /68 /DEST pdfmark
0 -430 M
[/View [/XYZ -4 326.999908 null] /Dest /69 /DEST pdfmark
0 -449 M
%%IncludeResource: font Times-Bold
15 2 Nf
(8.) S
[/View [/XYZ -4 325.999908 null] /Dest /188 /DEST pdfmark
( Authentication ) S
(Extensions) S
0 -473.2 M
11 0 Nf
0.292613626 0 32 0 0 (The HTTP authentication extensions described in ) A
gsave
newpath
222.3 -474.3 M
135.890625 0 RL
stroke
grestore
0.292613626 0 32 0 0 ([I-D.oiwa-http-auth-extension]) A
[/Rect [221.257812 -475.950104 359.148438 -463.850098] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
0.292613626 0 32 0 0 ( is a definitive part of) A
0 -486.4 M
0.900923312 0 32 0 0 (this protocol. Interactive clients \(e.g. Web browsers\) supporting this protocol are RECOMMENDED) A
0 -499.6 M
0.778125 0 32 0 0 (to support non-mandatory authentication and the Authentication-Control header defined there, except) A
0 -512.8 M
4.74023438 0 32 0 0 (the "auth-style" parameter. This specification also proposes \(however, not mandates\) default) A
0 -526 M
0.425455719 0 32 0 0 ("auth-style" to be "non-modal". Web applications SHOULD however consider the security impacts of) A
0 -539.2 M
(the behaviors of clients that do not support these headers. ) S
0 -563.4 M
2.23681641 0 32 0 0 (Authentication-initializing messages with the Optional-WWW-Authenticate header are used where) A
0 -576.6 M
0.577288 0 32 0 0 (401-INIT response is valid. Such a message is called a 200-Optional-INIT message in this document.) A
0 -589.8 M
(\(It will not replace other 401-type messages such as 401-STALE and 401-KEX-S1.\) ) S
0 -600.8 M
[/View [/XYZ -4 156.199829 null] /Dest /70 /DEST pdfmark
0 -600.8 M
[/View [/XYZ -4 156.199829 null] /Dest /71 /DEST pdfmark
0 -601.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 20 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 21 21
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(9.) S
[/View [/XYZ -4 757.0 null] /Dest /189 /DEST pdfmark
( Decision Procedure for ) S
(Clients) S
0 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.688058 0 32 0 0 (To securely implement the protocol, the user client must be careful about accepting the authenticated) A
0 -55.4 M
1.74916291 0 32 0 0 (responses from the server. This also holds true for the reception of "normal responses" \(responses) A
0 -68.6 M
(which do not contain Mutual-related headers\) from HTTP servers. ) S
0 -92.8 M
3.08919263 0 32 0 0 (Clients SHOULD implement a decision procedure equivalent to the one shown below. \(Unless) A
0 -106 M
1.42940843 0 32 0 0 (implementers understand what is required for the security, they should not alter this.\) In particular,) A
0 -119.2 M
0.892578125 0 32 0 0 (clients SHOULD\240NOT accept "normal responses" unless explicitly allowed below. The labels on the) A
0 -132.4 M
0.119977675 0 32 0 0 (steps are for informational purposes only. Action entries within each step are checked in top-to-bottom) A
0 -145.6 M
(order, and the first clause satisfied SHOULD be taken. ) S
11 -169.8 M
(Step 1 \(step_new_request\): ) S
33 -183 M
1.3976562 0 32 0 0 (If the client software needs to access a new Web resource, check whether the resource is) A
33 -196.2 M
3.08894229 0 32 0 0 (expected to be inside some authentication realm for which the user has already been) A
33 -209.4 M
1.35993302 0 32 0 0 (authenticated by the Mutual authentication scheme. If yes, go to Step 2. Otherwise, go to) A
33 -222.6 M
(Step 5. ) S
11 -235.8 M
(Step 2: ) S
33 -249 M
0.988020837 0 32 0 0 (Check whether there is an available sid for the authentication realm you expect. If there is) A
33 -262.2 M
(one, go to Step 3. Otherwise, go to Step 4. ) S
11 -275.4 M
(Step 3 \(step_send_vfy_1\): ) S
33 -288.6 M
(Send a req-VFY-C request. ) S
44 -299.2 M
gsave
0 setgray
newpath
44.0 -299.17 2.75 0 360 arc
closepath
fill
grestore
55 -302.8 M
0.395833343 0 32 0 0 (If you receive a 401-INIT message with a different authentication realm than expected,) A
55 -316 M
(go to Step 6. ) S
44 -326.6 M
gsave
0 setgray
newpath
44.0 -326.570038 2.75 0 360 arc
closepath
fill
grestore
55 -330.2 M
0.653409064 0 32 0 0 (If you receive a 200-Optional-INIT message with a different authentication realm than) A
55 -343.4 M
(expected, go to Step 6. ) S
44 -354 M
gsave
0 setgray
newpath
44.0 -353.970062 2.75 0 360 arc
closepath
fill
grestore
55 -357.6 M
(If you receive a 401-STALE message, go to Step 9. ) S
44 -368.2 M
gsave
0 setgray
newpath
44.0 -368.170074 2.75 0 360 arc
closepath
fill
grestore
55 -371.8 M
(If you receive a 401-INIT message, go to Step 13. ) S
44 -382.4 M
gsave
0 setgray
newpath
44.0 -382.370087 2.75 0 360 arc
closepath
fill
grestore
55 -386 M
(If you receive a 200-VFY-S message, go to Step 14. ) S
44 -396.6 M
gsave
0 setgray
newpath
44.0 -396.570099 2.75 0 360 arc
closepath
fill
grestore
55 -400.2 M
(If you receive a normal response, go to Step ) S
(11.) S
11 -413.4 M
(Step 4 \(step_send_kex1_1\): ) S
33 -426.6 M
(Send a req-KEX-C1 request. ) S
44 -437.2 M
gsave
0 setgray
newpath
44.0 -437.170135 2.75 0 360 arc
closepath
fill
grestore
55 -440.8 M
0.395833343 0 32 0 0 (If you receive a 401-INIT message with a different authentication realm than expected,) A
55 -454 M
(go to Step 6. ) S
44 -464.6 M
gsave
0 setgray
newpath
44.0 -464.57016 2.75 0 360 arc
closepath
fill
grestore
55 -468.2 M
0.653409064 0 32 0 0 (If you receive a 200-Optional-INIT message with a different authentication realm than) A
55 -481.4 M
(expected, go to Step 6. ) S
44 -492 M
gsave
0 setgray
newpath
44.0 -491.970184 2.75 0 360 arc
closepath
fill
grestore
55 -495.6 M
(If you receive a 401-KEX-S1 message, go to Step 10. ) S
44 -506.2 M
gsave
0 setgray
newpath
44.0 -506.170197 2.75 0 360 arc
closepath
fill
grestore
55 -509.8 M
0.990792394 0 32 0 0 (If you receive a 401-INIT message with the same authentication realm, go to Step 13) A
55 -523 M
(\(see Note 1\). ) S
44 -533.6 M
gsave
0 setgray
newpath
44.0 -533.57019 2.75 0 360 arc
closepath
fill
grestore
55 -537.2 M
(If you receive a normal response, go to Step ) S
(11.) S
11 -550.4 M
(Step 5 \(step_send_normal_1\): ) S
33 -563.6 M
(Send a request without any Mutual authentication headers. ) S
44 -574.2 M
gsave
0 setgray
newpath
44.0 -574.170227 2.75 0 360 arc
closepath
fill
grestore
55 -577.8 M
(If you receive a 401-INIT message, go to Step 6. ) S
44 -588.4 M
gsave
0 setgray
newpath
44.0 -588.370239 2.75 0 360 arc
closepath
fill
grestore
55 -592 M
(If you receive a 200-Optional-INIT message, go to Step 6. ) S
44 -602.6 M
gsave
0 setgray
newpath
44.0 -602.570251 2.75 0 360 arc
closepath
fill
grestore
55 -606.2 M
(If you receive a normal response, go to Step ) S
(11.) S
11 -619.4 M
(Step 6 \(step_rcvd_init\): ) S
33 -632.6 M
0.41015625 0 32 0 0 (Check whether you know the user's password for the requested authentication realm. If yes,) A
33 -645.8 M
(go to Step 7. Otherwise, go to Step 12. ) S
33 -645.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 21 -) S
0 setgray
22 -8 M
grestore
pgsave restore N
%%Page: 22 22
%%PageResources: font Times-Roman Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(Step 7: ) S
33 -26.4 M
0.988020837 0 32 0 0 (Check whether there is an available sid for the authentication realm you expect. If there is) A
33 -39.6 M
(one, go to Step 8. Otherwise, go to Step 9. ) S
11 -52.8 M
(Step 8 \(step_send_vfy\): ) S
33 -66 M
(Send a req-VFY-C request. ) S
44 -76.6 M
gsave
0 setgray
newpath
44.0 -76.57 2.75 0 360 arc
closepath
fill
grestore
55 -80.2 M
(If you receive a 401-STALE message, go to Step 9. ) S
44 -90.8 M
gsave
0 setgray
newpath
44.0 -90.77 2.75 0 360 arc
closepath
fill
grestore
55 -94.4 M
(If you receive a 401-INIT message, go to Step 13. ) S
44 -105 M
gsave
0 setgray
newpath
44.0 -104.969994 2.75 0 360 arc
closepath
fill
grestore
55 -108.6 M
(If you receive a 200-VFY-S message, go to Step ) S
(14.) S
11 -121.8 M
(Step 9 \(step_send_kex1\): ) S
33 -135 M
(Send a req-KEX-C1 request. ) S
44 -145.6 M
gsave
0 setgray
newpath
44.0 -145.569992 2.75 0 360 arc
closepath
fill
grestore
55 -149.2 M
(If you receive a 401-KEX-S1 message, go to Step 10. ) S
44 -159.8 M
gsave
0 setgray
newpath
44.0 -159.769989 2.75 0 360 arc
closepath
fill
grestore
55 -163.4 M
(If you receive a 401-INIT message, go to Step 13 \(See Note ) S
(1\).) S
11 -176.6 M
(Step 10 \(step_rcvd_kex1\): ) S
33 -189.8 M
(Send a req-VFY-C request. ) S
44 -200.4 M
gsave
0 setgray
newpath
44.0 -200.36998 2.75 0 360 arc
closepath
fill
grestore
55 -204 M
(If you receive a 401-INIT message, go to Step 13. ) S
44 -214.6 M
gsave
0 setgray
newpath
44.0 -214.569977 2.75 0 360 arc
closepath
fill
grestore
55 -218.2 M
(If you receive a 200-VFY-S message, go to Step ) S
(14.) S
11 -231.4 M
(Step 11 \(step_rcvd_normal\): ) S
33 -244.6 M
4.3088727 0 32 0 0 (The requested resource is out of the authenticated area. The client will be in the) A
33 -257.8 M
0.308203131 0 32 0 0 ("UNAUTHENTICATED" status. If the response contains a request for authentications other) A
33 -271 M
(than Mutual, it MAY be handled normally. ) S
11 -284.2 M
(Step 12 \(step_rcvd_init_unknown\): ) S
33 -297.4 M
5.07682276 0 32 0 0 (The requested resource requires a Mutual authentication, and the user is not yet) A
33 -310.6 M
7.17734385 0 32 0 0 (authenticated. The client will be in the "AUTH-REQUESTED" status, and is) A
33 -323.8 M
1.31145835 0 32 0 0 (RECOMMENDED to process the content sent from the server, and to ask user for a user) A
33 -337 M
(name and a password. When those are supplied from the user, proceed to Step 9. ) S
11 -350.2 M
(Step 13 \(step_rcvd_init_failed\): ) S
33 -363.4 M
0.689903855 0 32 0 0 (For some reason the authentication failed: possibly the password or the username is invalid) A
33 -376.6 M
1.28004813 0 32 0 0 (for the authenticated resource. Forget the password for the authentication realm and go to) A
33 -389.8 M
(Step 12. ) S
11 -403 M
(Step 14 \(step_rcvd_vfy\): ) S
33 -416.2 M
11 0 Nf
0.790096521 0 32 0 0 (Check the validity of the received ) A
0.790096521 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.790096521 0 32 0 0 (s) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.790096521 0 32 0 0 ( value. If it is equal to the expected value, it means) A
0.0 -2.2 RM
33 -431.6 M
9.39595127 0 32 0 0 (that the mutual authentication has succeeded. The client will be in the) A
33 -444.8 M
("AUTH-SUCCEEDED" status. ) S
33 -458 M
(If the value is unexpected, it is a fatal communication error. ) S
33 -471.2 M
0.143798828 0 32 0 0 (If a user explicitly requests to log out \(via user interfaces\), the client MUST forget the user's) A
33 -484.4 M
(password, go to step 5 and reload the current resource without an authentication header. ) S
11 -497.6 M
(Note 1: ) S
33 -510.8 M
1.1484375 0 32 0 0 (These transitions MAY be accepted by clients, but NOT\240RECOMMENDED for servers to ) A
33 -524 M
(initiate.) S
0 -548.2 M
1.1690104 0 32 0 0 (Any kind of response \(including a normal response\) other than those shown in the above procedure) A
0 -561.4 M
1.49469864 0 32 0 0 (SHOULD be interpreted as a fatal communication error, and in such cases the clients MUST\240NOT) A
0 -574.6 M
0.624442 0 32 0 0 (process any data \(response body and other content-related headers\) sent from the server. However, to) A
0 -587.8 M
0.473632812 0 32 0 0 (handle exceptional error cases, clients MAY accept a message without an Authentication-Info header,) A
0 -601 M
0.842773438 0 32 0 0 (if it is a Server-Error \(5xx\) status. The client will be in the "UNAUTHENTICATED" status in these) A
0 -614.2 M
(cases. ) S
0 -638.4 M
0.683072925 0 32 0 0 (The client software SHOULD display the three client status to the end-user. For an interactive client,) A
0 -651.6 M
0.412109375 0 32 0 0 (however, if a request is a sub-request for a resource included in another page \(e.g., embedded images,) A
0 -664.8 M
7.83323336 0 32 0 0 (style sheets, frames etc.\), its status MAY be omitted from being shown, and any) A
0 -664.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 22 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 23 23
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.51953125 0 32 0 0 ("AUTH-REQUESTED" statuses MAY be treated in the same way as an "UNAUTHENTICATED") A
0 -26.4 M
11 0 Nf
(status. ) S
0 -50.6 M
gsave
newpath
0 -51.7 M
36.9609375 0 RL
stroke
grestore
(Figure\2405) S
[/Rect [-1.0 -53.3500023 37.9609375 -41.25] /Subtype /Link /Border [0 0 0] /Dest /72 /ANN pdfmark
( shows a diagram of the client-side state. ) S
0 -61.6 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -72.6 M
[/View [/XYZ -4 684.4 null] /Dest /72 /DEST pdfmark
0 -466.6 M
gsave
0.0 -466.6 translate
/IS 1 D
save
0 0 M
IS IS scale
/showpage {}D
-71 -427 translate
/tgifdict 53 dict def
tgifdict begin
/tgifarrowtipdict 8 dict def
tgifarrowtipdict /mtrx matrix put
/TGAT % tgifarrowtip
{ tgifarrowtipdict begin
/dy exch def
/dx exch def
/h exch def
/w exch def
/y exch def
/x exch def
/savematrix mtrx currentmatrix def
x y translate
dy dx atan rotate
0 0 moveto
w neg h lineto
w neg h neg lineto
savematrix setmatrix
end
} def
/TGMAX
{ exch dup 3 1 roll exch dup 3 1 roll gt { pop } { exch pop } ifelse
} def
/TGMIN
{ exch dup 3 1 roll exch dup 3 1 roll lt { pop } { exch pop } ifelse
} def
/TGSW { stringwidth pop } def
/bd { bind def } bind def
/GS { gsave } bd
/GR { grestore } bd
/NP { newpath } bd
/CP { closepath } bd
/CHP { charpath } bd
/CT { curveto } bd
/L { lineto } bd
/RL { rlineto } bd
/M { moveto } bd
/RM { rmoveto } bd
/S { stroke } bd
/F { fill } bd
/TR { translate } bd
/RO { rotate } bd
/SC { scale } bd
/MU { mul } bd
/DI { div } bd
/DU { dup } bd
/NE { neg } bd
/AD { add } bd
/SU { sub } bd
/PO { pop } bd
/EX { exch } bd
/CO { concat } bd
/CL { clip } bd
/EC { eoclip } bd
/EF { eofill } bd
/IM { image } bd
/IMM { imagemask } bd
/ARY { array } bd
/SG { setgray } bd
/RG { setrgbcolor } bd
/SD { setdash } bd
/W { setlinewidth } bd
/SM { setmiterlimit } bd
/SLC { setlinecap } bd
/SLJ { setlinejoin } bd
/SH { show } bd
/FF { findfont } bd
/MS { makefont setfont } bd
/AR { arcto 4 {pop} repeat } bd
/CURP { currentpoint } bd
/FLAT { flattenpath strokepath clip newpath } bd
/TGSM { tgiforigctm setmatrix } def
/TGRM { savematrix setmatrix } def
end
tgifdict begin
/tgifsavedpage save def
1 SM
1 W
0 SG
72 0 MU 72 11.602 MU TR
72 128 DI 100.000 MU 100 DI DU NE SC
GS
/tgiforigctm matrix currentmatrix def
NP
0 SG
GS
1 W
250 45 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NEW REQUEST) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NEW REQUEST) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
NP
250 95 M
180 125 L
250 155 L
320 125 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
250 120 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(the requested URI) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(the requested URI) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(known to be authed?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(known to be authed?) SH
GR
GR
0 SG
GS
NP
250 50 M
45 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 95 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 95 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
250 95 8.000 3.000 0 45 TGAT
CP F
GR
0 SG
GS
GS
NP
684 100 M
700 100 700 150 16 AR
700 134 L
700 150 600 150 16 AR
616 150 L
600 150 600 100 16 AR
600 116 L
600 100 700 100 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
650 120 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(normal request) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(normal request) SH
GR
GR
0 SG
GS
NP
600 105 M
-35 -55 atan DU cos 8.000 MU 545 exch SU
exch sin 8.000 MU 70 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
545 70 8.000 3.000 -55 -35 TGAT
1 SG CP F
0 SG
NP
545 70 8.000 3.000 -55 -35 TGAT
CP F
GR
NP
0 SG
GS
1 W
480 75 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
320 125 M
0 280 atan DU cos 8.000 MU 600 exch SU
exch sin 8.000 MU 125 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
600 125 8.000 3.000 280 0 TGAT
1 SG CP F
0 SG
NP
600 125 8.000 3.000 280 0 TGAT
CP F
GR
NP
0 SG
GS
1 W
535 100 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal response) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal response) SH
GR
GR
0 SG
NP
650 195 M
580 225 L
650 255 L
720 225 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
650 220 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(user/pass) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(user/pass) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(known?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(known?) SH
GR
GR
0 SG
GS
NP
650 150 M
45 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 195 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 195 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
650 195 8.000 3.000 0 45 TGAT
CP F
GR
NP
0 SG
GS
1 W
655 165 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-INIT) SH
GR
0 15 RM
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-Optional-INIT) SH
GR
GR
0 SG
GS
NP
590 230 M
25 -55 atan DU cos 8.000 MU 535 exch SU
exch sin 8.000 MU 255 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
535 255 8.000 3.000 -55 25 TGAT
1 SG CP F
0 SG
NP
535 255 8.000 3.000 -55 25 TGAT
CP F
GR
NP
0 SG
GS
1 W
475 260 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
NP
0 SG
GS
1 W
570 230 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
NP
0 SG
GS
1 W
330 120 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
0 SG
NP
250 295 M
180 325 L
250 355 L
320 325 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
250 320 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) SH
GR
GR
0 SG
GS
NP
250 155 M
140 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 295 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 295 8.000 3.000 0 140 TGAT
1 SG CP F
0 SG
NP
250 295 8.000 3.000 0 140 TGAT
CP F
GR
0 SG
GS
GS
NP
284 400 M
300 400 300 450 16 AR
300 434 L
300 450 200 450 16 AR
216 450 L
200 450 200 400 16 AR
200 416 L
200 400 300 400 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
250 420 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-VFY-C) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-VFY-C) SH
GR
GR
0 SG
GS
NP
250 355 M
45 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 400 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 400 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
250 400 8.000 3.000 0 45 TGAT
CP F
GR
NP
0 SG
GS
1 W
190 715 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
200 430 M
180 480 L
215 0 atan DU cos 8.000 MU 180 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
180 695 8.000 3.000 0 215 TGAT
1 SG CP F
0 SG
NP
180 695 8.000 3.000 0 215 TGAT
CP F
GR
NP
0 SG
GS
1 W
225 640 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal resonse) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal resonse) SH
GR
GR
0 SG
GS
NP
300 425 M
0 90 atan DU cos 8.000 MU 390 exch SU
exch sin 8.000 MU 425 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
390 425 8.000 3.000 90 0 TGAT
1 SG CP F
0 SG
NP
390 425 8.000 3.000 90 0 TGAT
CP F
GR
NP
0 SG
GS
1 W
345 420 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-INIT) SH
GR
GR
NP
0 SG
GS
1 W
450 430 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) TGSW
AD
/Times-Roman FF [12 0 0 -12 0 0] MS
(:) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(:) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(forget password) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(forget password) SH
GR
GR
0 SG
GS
NP
180 325 M
180 460 L
250 480 L
20 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 500 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 500 8.000 3.000 0 20 TGAT
1 SG CP F
0 SG
NP
250 500 8.000 3.000 0 20 TGAT
CP F
GR
0 SG
GS
GS
NP
284 500 M
300 500 300 550 16 AR
300 534 L
300 550 200 550 16 AR
216 550 L
200 550 200 500 16 AR
200 516 L
200 500 300 500 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
250 520 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-KEX-C1) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-KEX-C1) SH
GR
GR
NP
0 SG
GS
1 W
170 335 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
0 SG
GS
NP
200 525 M
180 555 L
140 0 atan DU cos 8.000 MU 180 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
180 695 8.000 3.000 0 140 TGAT
1 SG CP F
0 SG
NP
180 695 8.000 3.000 0 140 TGAT
CP F
GR
0 SG
GS
NP
450 600 M
-150 0 atan DU cos 8.000 MU 450 exch SU
exch sin 8.000 MU 450 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
450 450 8.000 3.000 0 -150 TGAT
1 SG CP F
0 SG
NP
450 450 8.000 3.000 0 -150 TGAT
CP F
GR
NP
0 SG
GS
1 W
455 580 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-INIT) SH
GR
GR
NP
0 SG
GS
1 W
450 720 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_SUCCEED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_SUCCEED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
250 550 M
80 150 atan DU cos 8.000 MU 400 exch SU
exch sin 8.000 MU 630 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
400 630 8.000 3.000 150 80 TGAT
1 SG CP F
0 SG
NP
400 630 8.000 3.000 150 80 TGAT
CP F
GR
0 SG
GS
NP
295 445 M
250 105 atan DU cos 8.000 MU 400 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
400 695 8.000 3.000 105 250 TGAT
1 SG CP F
0 SG
NP
400 695 8.000 3.000 105 250 TGAT
CP F
GR
NP
0 SG
GS
1 W
340 547 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-VFY-S) SH
GR
GR
NP
0 SG
GS
1 W
280 580 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-KEX-S1) TGSW
AD
GR
NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-KEX-S1) SH
GR
GR
0 SG
GS
GS
NP
484 600 M
500 600 500 650 16 AR
500 634 L
500 650 400 650 16 AR
416 650 L
400 650 400 600 16 AR
400 616 L
400 600 500 600 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
450 620 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) SH
GR
GR
NP
0 SG
GS
1 W
455 662 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-VFY-S) SH
GR
GR
0 SG
GS
NP
450 650 M
45 0 atan DU cos 8.000 MU 450 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
450 695 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
450 695 8.000 3.000 0 45 TGAT
CP F
GR
0 SG
NP
650 295 M
580 325 L
650 355 L
720 325 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
650 320 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) SH
GR
GR
0 SG
GS
GS
NP
684 400 M
700 400 700 450 16 AR
700 434 L
700 450 600 450 16 AR
616 450 L
600 450 600 400 16 AR
600 416 L
600 400 700 400 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
650 420 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-VFY-C) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-VFY-C) SH
GR
GR
0 SG
GS
NP
650 355 M
45 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 400 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 400 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
650 400 8.000 3.000 0 45 TGAT
CP F
GR
0 SG
GS
GS
NP
684 500 M
700 500 700 550 16 AR
700 534 L
700 550 600 550 16 AR
616 550 L
600 550 600 500 16 AR
600 516 L
600 500 700 500 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
650 520 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-KEX-C1) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-KEX-C1) SH
GR
GR
0 SG
GS
NP
650 255 M
40 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 295 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 295 8.000 3.000 0 40 TGAT
1 SG CP F
0 SG
NP
650 295 8.000 3.000 0 40 TGAT
CP F
GR
NP
0 SG
GS
1 W
520 420 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-INIT) SH
GR
GR
0 SG
GS
NP
600 425 M
0 -90 atan DU cos 8.000 MU 510 exch SU
exch sin 8.000 MU 425 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
510 425 8.000 3.000 -90 0 TGAT
1 SG CP F
0 SG
NP
510 425 8.000 3.000 -90 0 TGAT
CP F
GR
0 SG
GS
NP
720 325 M
720 465 L
650 480 L
20 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 500 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 500 8.000 3.000 0 20 TGAT
1 SG CP F
0 SG
NP
650 500 8.000 3.000 0 20 TGAT
CP F
GR
NP
0 SG
GS
1 W
620 580 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-KEX-S1) SH
GR
GR
0 SG
GS
NP
650 550 M
75 -150 atan DU cos 8.000 MU 500 exch SU
exch sin 8.000 MU 625 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
500 625 8.000 3.000 -150 75 TGAT
1 SG CP F
0 SG
NP
500 625 8.000 3.000 -150 75 TGAT
CP F
GR
0 SG
GS
NP
605 445 M
250 -105 atan DU cos 8.000 MU 500 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
500 695 8.000 3.000 -105 250 TGAT
1 SG CP F
0 SG
NP
500 695 8.000 3.000 -105 250 TGAT
CP F
GR
NP
0 SG
GS
1 W
560 547 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-VFY-S) TGSW
AD
GR
NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-VFY-S) SH
GR
GR
0 SG
GS
NP
300 440 M
65 305 atan DU cos 8.000 MU 605 exch SU
exch sin 8.000 MU 505 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
605 505 8.000 3.000 305 65 TGAT
1 SG CP F
0 SG
NP
605 505 8.000 3.000 305 65 TGAT
CP F
GR
0 SG
GS
NP
625 450 M
50 0 atan DU cos 8.000 MU 625 exch SU
exch sin 8.000 MU 500 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
625 500 8.000 3.000 0 50 TGAT
1 SG CP F
0 SG
NP
625 500 8.000 3.000 0 50 TGAT
CP F
GR
NP
0 SG
GS
1 W
350 475 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-STALE) SH
GR
GR
NP
0 SG
GS
1 W
630 465 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-STALE) SH
GR
GR
NP
0 SG
GS
1 W
730 320 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
NP
0 SG
GS
1 W
665 265 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
235 165 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
265 365 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
635 365 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
775 45 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(USER/PASS INPUTED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(USER/PASS INPUTED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
780 50 M
780 470 L
35 -85 atan DU cos 8.000 MU 695 exch SU
exch sin 8.000 MU 505 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
695 505 8.000 3.000 -85 35 TGAT
1 SG CP F
0 SG
NP
695 505 8.000 3.000 -85 35 TGAT
CP F
GR
0 SG
GS
NP
295 405 M
330 355 L
330 180 L
0 325 atan DU cos 8.000 MU 655 exch SU
exch sin 8.000 MU 180 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
655 180 8.000 3.000 325 0 TGAT
1 SG CP F
0 SG
NP
655 180 8.000 3.000 325 0 TGAT
CP F
GR
NP
0 SG
GS
1 W
345 160 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-INIT, 200-Optional-INIT) SH
GR
0 15 RM
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
( with different realm ) SH
GR
GR
0 SG
GS
NP
295 505 M
330 460 L
330 355 L
TGSM
1 W
S
GR
NP
0 SG
GS
1 W
195 105 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(1\)) SH
GR
GR
NP
0 SG
GS
1 W
200 325 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(2\)) SH
GR
GR
NP
0 SG
GS
1 W
210 415 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(3\)) SH
GR
GR
NP
0 SG
GS
1 W
210 515 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(4\)) SH
GR
GR
NP
0 SG
GS
1 W
610 115 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(5\)) SH
GR
GR
NP
0 SG
GS
1 W
605 330 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(7\)) SH
GR
GR
NP
0 SG
GS
1 W
610 415 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(8\)) SH
GR
GR
NP
0 SG
GS
1 W
610 515 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(9\)) SH
GR
GR
NP
0 SG
GS
1 W
600 230 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(6\)) SH
GR
GR
NP
0 SG
GS
1 W
390 75 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(11\)) SH
GR
GR
NP
0 SG
GS
1 W
130 695 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(11\)) SH
GR
GR
NP
0 SG
GS
1 W
415 240 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(12\)) SH
GR
GR
NP
0 SG
GS
1 W
395 410 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(13\)) SH
GR
GR
NP
0 SG
GS
1 W
410 615 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(10\)) SH
GR
GR
NP
0 SG
GS
1 W
410 700 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(14\)) SH
GR
GR
GR
tgifsavedpage restore
end
showpage
restore
grestore
400.0 0.0 RM
169 -489.5 M
%%IncludeResource: font Times-Bold
7.63889 2 Nf
(\240Figure\2405: State diagram for ) S
(clients\240) S
0 -503.4 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -514.4 M
[/View [/XYZ -4 242.551392 null] /Dest /73 /DEST pdfmark
0 -514.4 M
[/View [/XYZ -4 242.551392 null] /Dest /74 /DEST pdfmark
0 -533.4 M
15 2 Nf
(10.) S
[/View [/XYZ -4 241.551392 null] /Dest /190 /DEST pdfmark
( Decision Procedure for ) S
(Servers) S
0 -557.6 M
11 0 Nf
0.0256076381 0 32 0 0 (Each server SHOULD have a table of session states. This table need not be persistent over a long term;) A
0 -570.8 M
0.69255513 0 32 0 0 (it MAY be cleared upon server restart, reboot, or others. Each entry in the table SHOULD contain at) A
0 -584 M
(least the following information: ) S
11 -604.6 M
gsave
0 setgray
newpath
11.0 -604.618652 2.75 0 360 arc
closepath
fill
grestore
22 -608.2 M
(The session identifier, the value of the sid parameter. ) S
11 -618.8 M
gsave
0 setgray
newpath
11.0 -618.818665 2.75 0 360 arc
closepath
fill
grestore
22 -622.4 M
(The algorithm used. ) S
11 -633 M
gsave
0 setgray
newpath
11.0 -633.018677 2.75 0 360 arc
closepath
fill
grestore
22 -636.6 M
(The authentication realm. ) S
11 -647.2 M
gsave
0 setgray
newpath
11.0 -647.218689 2.75 0 360 arc
closepath
fill
grestore
22 -650.8 M
(The state of the protocol: one of "key exchanging", "authenticated", "rejected", or "inactive". ) S
11 -661.4 M
gsave
0 setgray
newpath
11.0 -661.418701 2.75 0 360 arc
closepath
fill
grestore
22 -665 M
(The user name received from the client ) S
22 -666 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 23 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 24 24
%%PageResources: font Times-Roman Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -9.6 M
gsave
0 setgray
newpath
11.0 -9.57000065 2.75 0 360 arc
closepath
fill
grestore
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The boolean flag noting whether or not the session is fake. ) S
11 -23.8 M
gsave
0 setgray
newpath
11.0 -23.77 2.75 0 360 arc
closepath
fill
grestore
22 -27.4 M
11 0 Nf
(When the state is "key exchanging", the values of ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( and ) S
(S) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(. ) S
0.0 -2.2 RM
11 -40.2 M
gsave
0 setgray
newpath
11.0 -40.170002 2.75 0 360 arc
closepath
fill
grestore
22 -43.8 M
(When the state is "authenticated", the following information: ) S
33 -54.4 M
gsave
0 setgray
newpath
33.0 -54.3700027 2.75 0 360 arc
closepath
stroke
grestore
44 -58 M
(The value of the session secret z ) S
33 -68.6 M
gsave
0 setgray
newpath
33.0 -68.5700073 2.75 0 360 arc
closepath
stroke
grestore
44 -72.2 M
(The largest nc received from the client \(largest-nc\) ) S
33 -82.8 M
gsave
0 setgray
newpath
33.0 -82.7700043 2.75 0 360 arc
closepath
stroke
grestore
44 -86.4 M
3.39531255 0 32 0 0 (For each possible nc values between \(largest-nc\240-\240nc-window\240+\2401\) and max_nc, a flag) A
44 -99.6 M
(whether or not a request with the corresponding nc has been received. ) S
0 -123.8 M
(The table MAY contain other information. ) S
0 -148 M
(Servers SHOULD respond to the client requests according to the following procedure: ) S
11 -168.6 M
gsave
0 setgray
newpath
11.0 -168.57 2.75 0 360 arc
closepath
fill
grestore
22 -172.2 M
(When the server receives a normal request: ) S
33 -182.8 M
gsave
0 setgray
newpath
33.0 -182.77 2.75 0 360 arc
closepath
stroke
grestore
44 -186.4 M
2.40655041 0 32 0 0 (If the requested resource is not protected by the Mutual Authentication, send a normal) A
44 -199.6 M
(response. ) S
33 -210.2 M
gsave
0 setgray
newpath
33.0 -210.17 2.75 0 360 arc
closepath
stroke
grestore
44 -213.8 M
(If the resource is protected by the Mutual Authentication, send a 401-INIT response. ) S
33 -224.4 M
gsave
0 setgray
newpath
33.0 -224.37 2.75 0 360 arc
closepath
stroke
grestore
44 -228 M
0.0872395858 0 32 0 0 (If the resource is protected by the optional Mutual Authentication, send a 200-Optional-INIT ) A
44 -241.2 M
(response.) S
11 -251.8 M
gsave
0 setgray
newpath
11.0 -251.769989 2.75 0 360 arc
closepath
fill
grestore
22 -255.4 M
(When the server receives a req-KEX-C1 request: ) S
33 -266 M
gsave
0 setgray
newpath
33.0 -265.969971 2.75 0 360 arc
closepath
stroke
grestore
44 -269.6 M
2.40655041 0 32 0 0 (If the requested resource is not protected by the Mutual Authentication, send a normal) A
44 -282.8 M
(response. ) S
33 -293.4 M
gsave
0 setgray
newpath
33.0 -293.37 2.75 0 360 arc
closepath
stroke
grestore
44 -297 M
0.0323660709 0 32 0 0 (If the authentication realm specified in the req-KEX-C1 request is not the expected one, send) A
44 -310.2 M
(either a 401-INIT or a 200-Optional-INIT response. ) S
33 -320.8 M
gsave
0 setgray
newpath
33.0 -320.77002 2.75 0 360 arc
closepath
stroke
grestore
44 -324.4 M
(If the server cannot validate the parameter kc1, send a 401-INIT response. ) S
33 -335 M
gsave
0 setgray
newpath
33.0 -334.970032 2.75 0 360 arc
closepath
stroke
grestore
44 -338.6 M
0.818638384 0 32 0 0 (If the received user name is either invalid, unknown or unacceptable, create a new session,) A
44 -351.8 M
11 0 Nf
1.6470052 0 32 0 0 (mark it a "fake" session, compute a random value as ) A
1.6470052 0 32 0 0 (K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
1.6470052 0 32 0 0 (s1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
1.6470052 0 32 0 0 (, and send a fake 401-KEX-S1) A
0.0 -2.2 RM
44 -367.2 M
0.152043268 0 32 0 0 (response. \(Note: the server SHOULD\240NOT send a 401-INIT response in this case, because it) A
44 -380.4 M
1.08854163 0 32 0 0 (will leak the information to the client that the specified user will not be accepted. Instead,) A
44 -393.6 M
(postpone it to the response for the next req-VFY-C request.\) ) S
33 -404.2 M
gsave
0 setgray
newpath
33.0 -404.170074 2.75 0 360 arc
closepath
stroke
grestore
44 -407.8 M
11 0 Nf
(Otherwise, create a new session, compute ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( and send a 401-KEX-S1 ) S
(response.) S
0.0 -2.2 RM
22 -423.2 M
(The created session has the "key exchanging" state. ) S
11 -433.8 M
gsave
0 setgray
newpath
11.0 -433.770111 2.75 0 360 arc
closepath
fill
grestore
22 -437.4 M
(When the server receives a req-VFY-C request: ) S
33 -448 M
gsave
0 setgray
newpath
33.0 -447.970123 2.75 0 360 arc
closepath
stroke
grestore
44 -451.6 M
2.40655041 0 32 0 0 (If the requested resource is not protected by the Mutual Authentication, send a normal) A
44 -464.8 M
(response. ) S
33 -475.4 M
gsave
0 setgray
newpath
33.0 -475.370148 2.75 0 360 arc
closepath
stroke
grestore
44 -479 M
0.468471 0 32 0 0 (If the authentication realm specified in the req-VFY-C request is not the expected one, send) A
44 -492.2 M
(either a 401-INIT or a 200-Optional-INIT ) S
(response.) S
22 -505.4 M
0.752197266 0 32 0 0 (If none of above holds true, the server will lookup the session corresponding to the received sid) A
22 -518.6 M
(and the authentication realm. ) S
33 -529.2 M
gsave
0 setgray
newpath
33.0 -529.170166 2.75 0 360 arc
closepath
stroke
grestore
44 -532.8 M
0.59260112 0 32 0 0 (If the session corresponding to the received sid could not be found, or it is in the "inactive") A
44 -546 M
(state, send a 401-STALE response. ) S
33 -556.6 M
gsave
0 setgray
newpath
33.0 -556.57019 2.75 0 360 arc
closepath
stroke
grestore
44 -560.2 M
(If the session is in the "rejected" state, send either a 401-INIT or a 401-STALE message. ) S
33 -570.8 M
gsave
0 setgray
newpath
33.0 -570.770203 2.75 0 360 arc
closepath
stroke
grestore
44 -574.4 M
2.48291016 0 32 0 0 (If the session is in the "authenticated" state, and the request has an nc value that was) A
44 -587.6 M
0.671549499 0 32 0 0 (previously received from the client, send a 401-STALE message. The session SHOULD be) A
44 -600.8 M
(changed to the "inactive" status. ) S
33 -611.4 M
gsave
0 setgray
newpath
33.0 -611.370239 2.75 0 360 arc
closepath
stroke
grestore
44 -615 M
0.138157889 0 32 0 0 (If the nc value in the request is larger than the nc-max parameter sent from the server, or if it) A
44 -628.2 M
0.262319714 0 32 0 0 (is not larger then \(largest-nc - nc-window\) \(when in "authenticated" status\), the server MAY) A
44 -641.4 M
0.4765625 0 32 0 0 (\(but not REQUIRED to\) send a 401-STALE message. The session SHOULD be changed to) A
44 -654.6 M
(the "inactive" status if so. ) S
33 -665.2 M
gsave
0 setgray
newpath
33.0 -665.170288 2.75 0 360 arc
closepath
stroke
grestore
44 -668.8 M
1.08065259 0 32 0 0 (If the session is a "fake" session, or if the received vkc is incorrect, then send a 401-INIT) A
44 -668.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 24 -) S
0 setgray
88 -8 M
grestore
pgsave restore N
%%Page: 25 25
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
44 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.83203125 0 32 0 0 (response. If the session is in the "key exchanging" state, it SHOULD be changed to the) A
44 -13.2 M
0.933749676 0.933749676 scale
0.0 -13.2 RM
11 0 Nf
("rejected" state; otherwise, it MAY either be changed to the "rejected" status or kept in the previous) S
1.07095087 1.07095087 scale
44 -38.7 M
(state. ) S
33 -49.3 M
gsave
0 setgray
newpath
33.0 -49.2954979 2.75 0 360 arc
closepath
stroke
grestore
44 -52.9 M
0.131138399 0 32 0 0 (Otherwise, send a 200-VFY-S response. If the session was in the "key exchanging" state, the) A
44 -52.9 M
0.93326813 0.93326813 scale
0.0 -13.2 RM
(session SHOULD be changed to an "authenticated" state. The maximum nc and nc flags of the state) S
1.0715034 1.0715034 scale
44 -78.4 M
(SHOULD be updated properly. ) S
0 -102.6 M
1.42135417 0 32 0 0 (At any time, the server MAY change any state entries with both the "rejected" and "authenticated") A
0 -115.8 M
1.48177087 0 32 0 0 (statuses to the "inactive" status, and MAY discard any "inactive" states from the table. The entries) A
0 -129 M
0.936035156 0 32 0 0 (with the "key exchanging" status SHOULD be kept unless there is an emergency situation such as a) A
0 -142.2 M
(server reboot or a table capacity overflow. ) S
0 -153.2 M
[/View [/XYZ -4 603.755371 null] /Dest /75 /DEST pdfmark
0 -153.2 M
[/View [/XYZ -4 603.755371 null] /Dest /76 /DEST pdfmark
0 -172.2 M
%%IncludeResource: font Times-Bold
15 2 Nf
(11.) S
[/View [/XYZ -4 602.755371 null] /Dest /191 /DEST pdfmark
( Authentication ) S
(Algorithms) S
0 -196.4 M
11 0 Nf
0.647786438 0 32 0 0 (Cryptographic authentication algorithms which are used with this protocol will be defined separately.) A
0 -209.6 M
(The algorithm definition MUST at least provide a definitions for the following ) S
(functions:) S
11 -230.2 M
gsave
0 setgray
newpath
11.0 -230.21463 2.75 0 360 arc
closepath
fill
grestore
22 -233.8 M
(The server-side authentication credential J, derived from user-side authentication credential pi. ) S
11 -244.4 M
gsave
0 setgray
newpath
11.0 -244.414627 2.75 0 360 arc
closepath
fill
grestore
22 -248 M
11 0 Nf
(Key exchange values ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( \(exchanged on wire\) and ) S
(S) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(S) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( \(kept secret in each peer\). ) S
0.0 -2.2 RM
11 -260.8 M
gsave
0 setgray
newpath
11.0 -260.814606 2.75 0 360 arc
closepath
fill
grestore
22 -264.4 M
(Shared secret z, to be computed in both server-side and client side. ) S
11 -275 M
gsave
0 setgray
newpath
11.0 -275.014618 2.75 0 360 arc
closepath
fill
grestore
22 -278.6 M
(A hash function H to be used with the ) S
(protocol.) S
0 -302.8 M
0.977539062 0 32 0 0 (All algorithm used with this protocol SHOULD provide secure mutual authentication between client) A
0 -316 M
1.234375 0 32 0 0 (and servers, and generate a cryptographically strong shared secret value z, equivalently strong to or) A
0 -329.2 M
1.65937495 0 32 0 0 (stronger than the hash function H. If any passwords \(or pass-phrases or any equivalents, i.e. weak) A
0 -342.4 M
1.37439907 0 32 0 0 (secrets\) are involved, these SHOULD\240NOT be guessable from any data transmitted in the protocol,) A
0 -355.6 M
7.18088961 0 32 0 0 (even if an attacker \(either an eavesdropper or an active server\) knows the possible) A
0 -368.8 M
2.95703125 0 32 0 0 (thoroughly-searchable candidate list of the passwords. Furthermore, if possible, the function for) A
0 -382 M
0.690805316 0 32 0 0 (deriving server-side authentication credential J is RECOMMENDED to be one-way so that pi should) A
0 -395.2 M
(not be easily computed from ) S
(J\(pi\).) S
0 -406.2 M
[/View [/XYZ -4 350.75528 null] /Dest /77 /DEST pdfmark
0 -406.2 M
[/View [/XYZ -4 350.75528 null] /Dest /78 /DEST pdfmark
0 -421.8 M
13 2 Nf
(11.1.) S
[/View [/XYZ -4 350.75528 null] /Dest /192 /DEST pdfmark
( Support Functions and ) S
(Notations) S
0 -446 M
11 0 Nf
1.49557292 0 32 0 0 (In this section we define several support functions and notations to be shared by several algorithm ) A
0 -459.2 M
(definitions:) S
0 -483.4 M
(The integers in the specification are in decimal, or in hexadecimal when prefixed with ) S
("0x".) S
0 -507.6 M
1.30009186 0 32 0 0 (The function octet\(c\) generates a single octet string whose code value is equal to c. The operator |,) A
0 -520.8 M
(when applied to octet strings, denotes the concatenation of two ) S
(operands.) S
0 -545 M
1.88616073 0 32 0 0 (The function VI encodes natural numbers into octet strings in the following manner: numbers are) A
0 -558.2 M
0.163783476 0 32 0 0 (represented in big-endian radix-128 string, where each digit is represented by a octet within 0x80\2350xff) A
0 -571.4 M
0.217285156 0 32 0 0 (except the last digit represented by a octet within 0x00\2350x7f. The first octet MUST\240NOT be 0x80. For) A
0 -584.6 M
0.31266275 0 32 0 0 (example, VI\(i\) = octet\(i\) for i < 128, and VI\(i\) = octet\(0x80 + \(i >> 7\)\) | octet\(i & 127\) for 128 <= i <) A
0 -597.8 M
1.04848349 0 32 0 0 (16384. This encoding is the same as the one used for the subcomponents of object identifiers in ) A
gsave
newpath
440.5 -598.9 M
13.4375 0 RL
stroke
grestore
1.04848349 0 32 0 0 (the) A
[/Rect [439.535156 -600.594849 454.972656 -588.494873] /Subtype /Link /Border [0 0 0] /Dest /117 /ANN pdfmark
0 -611 M
gsave
newpath
0 -612.1 M
33.7176323 0 RL
stroke
grestore
0.721540153 0 32 0 0 (ASN.1 ) A
gsave
newpath
33.7 -612.1 M
40.3203125 0 RL
stroke
grestore
0.721540153 0 32 0 0 (encoding) A
[/Rect [-1.0 -613.794861 75.0351562 -601.694885] /Subtype /Link /Border [0 0 0] /Dest /117 /ANN pdfmark
0.721540153 0 32 0 0 ( [ITU.X690.1994], and available as a "w" conversion in the pack function of several) A
0 -624.2 M
(scripting languages. ) S
0 -635.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 25 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 26 26
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.15820312 0 32 0 0 (The function VS encodes a variable-length octet string into a uniquely-decoded, self-delimited octet) A
0 -26.4 M
(string, as in the following manner: ) S
0 -50.6 M
(VS\(s\) = VI\(length\(s\)\) | s ) S
0 -74.8 M
(where length\(s\) is a number of octets \(not characters\) in s. ) S
0 -99 M
(Some ) S
(examples:) S
11 -123.2 M
(VI\(0\) = "\\000" \(in C string ) S
(notation\)) S
11 -147.4 M
(VI\(100\) = ) S
("d") S
11 -171.6 M
(VI\(10000\) = ) S
("\\316\\020") S
11 -195.8 M
(VI\(1000000\) = ) S
("\\275\\204@") S
11 -220 M
(VS\(""\) = ) S
("\\000") S
11 -244.2 M
(VS\("Tea"\) = ) S
("\\003Tea") S
11 -268.4 M
(VS\("Caf<e acute>" [in UTF-8]\) = ) S
("\\005Caf\\303\\251") S
11 -292.6 M
(VS\([10000 "a"s]\) = "\\316\\020aaaaa..." \(10002 ) S
(octets\)) S
0 -316.8 M
2.7606535 0 32 0 0 ([Editorial note: Unlike the colon-separated notion used in the Basic/Digest HTTP authentication) A
0 -330 M
0.752790153 0 32 0 0 (scheme, the string generated by a concatenation of the VS-encoded strings will be unique, regardless) A
0 -343.2 M
(of the characters included in the strings to be encoded.] ) S
0 -367.4 M
1.48697913 0 32 0 0 (The function OCTETS converts an integer into the corresponding radix-256 big-endian octet string) A
0 -380.6 M
(having its natural length: See ) S
gsave
newpath
131 -381.7 M
57.7382812 0 RL
stroke
grestore
(Section\2403.1.3) S
[/Rect [130.035156 -383.350067 189.773438 -371.250061] /Subtype /Link /Border [0 0 0] /Dest /45 /ANN pdfmark
( for the definition of "natural length". ) S
0 -391.6 M
[/View [/XYZ -4 365.399933 null] /Dest /79 /DEST pdfmark
0 -391.6 M
[/View [/XYZ -4 365.399933 null] /Dest /80 /DEST pdfmark
0 -407.2 M
%%IncludeResource: font Times-Bold
13 2 Nf
(11.2.) S
[/View [/XYZ -4 365.399933 null] /Dest /193 /DEST pdfmark
( Default Functions for ) S
(Algorithms) S
0 -431.4 M
11 0 Nf
(The functions defined in this section are common default functions among authentication algorithms. ) S
0 -455.6 M
2.85216355 0 32 0 0 (The client-side password-based string pi used by this authentication is derived in the following) A
0 -468.8 M
(manner: ) S
0 -493 M
(pi = H\(VS\(algorithm\) | VS\(auth-domain\) | VS\(realm\) | VS\(username\) | VS\(ph\(password\)\)\). ) S
0 -517.2 M
0.438281238 0 32 0 0 (The values of algorithm, realm, and auth-domain are taken from the values contained in the 401-INIT) A
0 -530.4 M
0.143798828 0 32 0 0 (\(or 200-Optional-INIT, hereafter implied\) message. When pi is used in the context of an octet string, it) A
0 -543.6 M
1.02604163 0 32 0 0 (SHALL have the natural length derived from the size of the output of function H \(e.g. 32 octets for) A
0 -556.8 M
0.142578125 0 32 0 0 (SHA-256\). The function ph is determined by the value of the pwd-hash parameter given in a 401-INIT) A
0 -570 M
1.65885413 0 32 0 0 (message. If the password comes from a user input, it SHOULD first be prepared using ) A
gsave
newpath
407.5 -571.1 M
46.4296875 0 RL
stroke
grestore
1.65885413 0 32 0 0 (SASLprep) A
[/Rect [406.53125 -572.750183 454.960938 -560.650208] /Subtype /Link /Border [0 0 0] /Dest /110 /ANN pdfmark
0 -583.2 M
([RFC4013]. Then, the password SHALL be encoded as a UTF-8 string before passed to ph. ) S
0 -607.4 M
11 0 Nf
(The values ) S
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( and ) S
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( are derived by the following equation. ) S
0.0 -2.2 RM
0 -633.8 M
11 0 Nf
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( = H\(octet\(4\) | ) S
(OCTETS\(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(\) | ) S
(OCTETS\(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(\) | OCTETS\(z\) | VI\(nc\) | VS\(v\)\) ) S
0.0 -2.2 RM
0 -649.2 M
11 0 Nf
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( = H\(octet\(3\) | ) S
(OCTETS\(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(\) | ) S
(OCTETS\(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(\) | OCTETS\(z\) | VI\(nc\) | VS\(v\)\) ) S
0.0 -2.2 RM
0 -651.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 26 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 27 27
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.495768219 0 32 0 0 (Specifications for cryptographic algorithms used with this framework MAY override the functions pi, ) A
0 -26.4 M
11 0 Nf
0.711718738 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.711718738 0 32 0 0 (c) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.711718738 0 32 0 0 (, and ) A
0.711718738 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.711718738 0 32 0 0 (s) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.711718738 0 32 0 0 ( defined above. In such cases implementations MUST use the ones defined with such) A
0.0 -2.2 RM
0 -41.8 M
(algorithm specifications. ) S
0 -52.8 M
[/View [/XYZ -4 704.2 null] /Dest /81 /DEST pdfmark
0 -52.8 M
[/View [/XYZ -4 704.2 null] /Dest /82 /DEST pdfmark
0 -71.8 M
%%IncludeResource: font Times-Bold
15 2 Nf
(12.) S
[/View [/XYZ -4 703.2 null] /Dest /194 /DEST pdfmark
( Application Channel ) S
(Binding) S
0 -96 M
11 0 Nf
3.67695308 0 32 0 0 (Applications and upper-layer communication protocols may need authentication binding to the) A
0 -109.2 M
0.434495181 0 32 0 0 (HTTP-layer authenticated user. Such applications MAY use the following values as a standard shared) A
0 -122.4 M
(secret. ) S
0 -146.6 M
1.21328127 0 32 0 0 (These values are parameterized with an optional octet string \(t\) which may be arbitrarily chosen by) A
0 -159.8 M
(each applications or protocols. If there is no appropriate value to be specified, use a null string for t. ) S
0 -184 M
1.23270094 0 32 0 0 (For applications requiring binding to either an authenticated user or a shared-key session \(to ensure) A
0 -197.2 M
11 0 Nf
(that the requesting client is certainly authenticated\), the following value ) S
(b) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( MAY be used. ) S
0.0 -2.2 RM
0 -223.6 M
11 0 Nf
3.07830262 0 32 0 0 (b) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
3.07830262 0 32 0 0 (1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
3.07830262 0 32 0 0 ( = OCTETS\(H\(OCTETS\(H\(octet\(6\) | ) A
3.07830262 0 32 0 0 (OCTETS\(K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
3.07830262 0 32 0 0 (c1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
3.07830262 0 32 0 0 (\) | ) A
3.07830262 0 32 0 0 (OCTETS\(K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
3.07830262 0 32 0 0 (s1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
3.07830262 0 32 0 0 (\) | OCTETS\(z\) | VI\(0\) |) A
0.0 -2.2 RM
0 -239 M
(VS\(v\)\)\) | VS\(t\)\)\). ) S
0 -263.2 M
0.0864257812 0 32 0 0 (For applications requiring binding to a specific request \(to ensure that the payload data is generated for) A
0 -276.4 M
11 0 Nf
(the exact HTTP request\), the following value ) S
(b) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(2) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( MAY be used. ) S
0.0 -2.2 RM
0 -302.8 M
11 0 Nf
2.63441062 0 32 0 0 (b) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.63441062 0 32 0 0 (2) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.63441062 0 32 0 0 ( = OCTETS\(H\(OCTETS\(H\(octet\(7\) | ) A
2.63441062 0 32 0 0 (OCTETS\(K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.63441062 0 32 0 0 (c1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.63441062 0 32 0 0 (\) | ) A
2.63441062 0 32 0 0 (OCTETS\(K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.63441062 0 32 0 0 (s1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.63441062 0 32 0 0 (\) | OCTETS\(z\) | VI\(nc\) |) A
0.0 -2.2 RM
0 -318.2 M
(VS\(v\)\)\) | VS\(t\)\)\). ) S
0 -342.4 M
(Note: Channel bindings to lower-layer transports \(TCP and TLS\) are defined in ) S
gsave
newpath
352.5 -343.5 M
41.2382812 0 RL
stroke
grestore
(Section\2407) S
[/Rect [351.460938 -345.15 394.699219 -333.05] /Subtype /Link /Border [0 0 0] /Dest /66 /ANN pdfmark
(. ) S
0 -353.4 M
[/View [/XYZ -4 403.6 null] /Dest /83 /DEST pdfmark
0 -353.4 M
[/View [/XYZ -4 403.6 null] /Dest /84 /DEST pdfmark
0 -372.4 M
15 2 Nf
(13.) S
[/View [/XYZ -4 402.6 null] /Dest /195 /DEST pdfmark
( Application for Proxy ) S
(Authentication) S
0 -396.6 M
11 0 Nf
4.30979586 0 32 0 0 (The authentication scheme defined by the previous sections can be applied m.m. for proxy) A
0 -409.8 M
(authentications. In such cases, the following alterations MUST be ) S
(applied:) S
11 -430.4 M
gsave
0 setgray
newpath
11.0 -430.370026 2.75 0 360 arc
closepath
fill
grestore
22 -434 M
(The 407 status is to be sent and recognized for places where the 401 status is used, ) S
11 -444.6 M
gsave
0 setgray
newpath
11.0 -444.570038 2.75 0 360 arc
closepath
fill
grestore
22 -448.2 M
(Proxy-Authenticate: header is to be used for places where WWW-Authenticate: is used, ) S
11 -458.8 M
gsave
0 setgray
newpath
11.0 -458.77005 2.75 0 360 arc
closepath
fill
grestore
22 -462.4 M
(Proxy-Authorization: header is to be used for places where Authorization: is used, ) S
11 -473 M
gsave
0 setgray
newpath
11.0 -472.970062 2.75 0 360 arc
closepath
fill
grestore
22 -476.6 M
(Proxy-Authentication-Info: header is to be used for places where Authentication-Info: is used, ) S
11 -487.2 M
gsave
0 setgray
newpath
11.0 -487.170074 2.75 0 360 arc
closepath
fill
grestore
22 -490.8 M
1.76041663 0 32 0 0 (The auth-domain parameter is fixed to the host-name of the proxy, which means to cover all) A
22 -504 M
(requests processed through the specific proxy, ) S
11 -514.6 M
gsave
0 setgray
newpath
11.0 -514.570068 2.75 0 360 arc
closepath
fill
grestore
22 -518.2 M
3.32301688 0 32 0 0 (The limitation for the paths contained in the path parameter of 401-KEX-S1 messages is) A
22 -531.4 M
(disregarded, ) S
11 -542 M
gsave
0 setgray
newpath
11.0 -541.970093 2.75 0 360 arc
closepath
fill
grestore
22 -545.6 M
2.30175781 0 32 0 0 (The omission of the path parameter of 401-KEX-S1 messages means that the authentication) A
22 -558.8 M
(realm will potentially cover all requests processed by the proxy, ) S
11 -569.4 M
gsave
0 setgray
newpath
11.0 -569.370117 2.75 0 360 arc
closepath
fill
grestore
22 -573 M
(The scheme, host name and the port of the proxy is used for validation tokens, and ) S
11 -583.6 M
gsave
0 setgray
newpath
11.0 -583.570129 2.75 0 360 arc
closepath
fill
grestore
22 -587.2 M
(Authentication extension in ) S
gsave
newpath
146.3 -588.3 M
135.890625 0 RL
stroke
grestore
([I-D.oiwa-http-auth-extension]) S
[/Rect [145.320312 -589.950134 283.210938 -577.850159] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
( is not ) S
(applicable.) S
0 -611.4 M
1.53723955 0 32 0 0 (The requirements for client software to display the authentication status to the end-user is also not) A
0 -624.6 M
3.60123706 0 32 0 0 (applicable for proxy authentication. If the client software supports both end-to-end and proxy) A
0 -637.8 M
1.20870531 0 32 0 0 (authentication using this protocol, it SHOULD be careful that the authentication status of the proxy) A
0 -651 M
0.08203125 0 32 0 0 (communication will never be confused by users with authentication statuses of the end-to-end resource) A
0 -664.2 M
(authentications. ) S
0 -664.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 27 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 28 28
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /85 /DEST pdfmark
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /86 /DEST pdfmark
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(14.) S
[/View [/XYZ -4 757.0 null] /Dest /196 /DEST pdfmark
( Methods to Extend This ) S
(Protocol) S
0 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.2294271 0 32 0 0 (If a private extension to this protocol is implemented, it MUST use the extension-tokens defined in ) A
0 -55.4 M
gsave
newpath
0 -56.5 M
41.2382812 0 RL
stroke
grestore
7.59126425 0 32 0 0 (Section\2403) A
[/Rect [-1.0 -58.15 42.2382812 -46.0500031] /Subtype /Link /Border [0 0 0] /Dest /36 /ANN pdfmark
7.59126425 0 32 0 0 ( to avoid conflicts with this protocol and other extensions. \(standardized or) A
0 -68.6 M
(being-standardizing extensions MAY use either bare-tokens or extension-tokens.\) ) S
0 -92.8 M
1.421875 0 32 0 0 (Specifications defining authentication algorithms MAY use other representations for the parameters) A
0 -106 M
0.350446433 0 32 0 0 ("kc1", "ks1", "vkc", and "vks", replace those parameter names, and/or add parameters to the messages) A
0 -119.2 M
2.85507822 0 32 0 0 (containing those parameters in supplemental specifications, provided that syntactic and semantic) A
0 -132.4 M
0.987723231 0 32 0 0 (requirements in ) A
gsave
newpath
73.4 -133.5 M
41.2382812 0 RL
stroke
grestore
0.987723231 0 32 0 0 (Section\2403) A
[/Rect [72.4335938 -135.15 115.671875 -123.049995] /Subtype /Link /Border [0 0 0] /Dest /36 /ANN pdfmark
0.987723231 0 32 0 0 (, ) A
gsave
newpath
121.2 -133.5 M
138.335938 0 RL
stroke
grestore
0.987723231 0 32 0 0 ([I-D.ietf-httpbis-p1-messaging]) A
[/Rect [120.15625 -135.15 260.492188 -123.049995] /Subtype /Link /Border [0 0 0] /Dest /104 /ANN pdfmark
0.987723231 0 32 0 0 ( and ) A
gsave
newpath
282.8 -133.5 M
110.84375 0 RL
stroke
grestore
0.987723231 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [281.84375 -135.15 394.6875 -123.049995] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
0.987723231 0 32 0 0 ( are satisfied.) A
0 -145.6 M
1.76646209 0 32 0 0 (Any parameters starting with "kc", "ks", "vkc" or "vks" and followed by decimal natural numbers) A
0 -158.8 M
1.09010422 0 32 0 0 (\(e.g.\240kc2, ks0, vkc1, vks3 etc.\) are reserved for this purpose. If those specifications use names other) A
0 -172 M
0.806490362 0 32 0 0 (than those mentioned above, it is RECOMMENDED to use extension-tokens to avoid any parameter) A
0 -185.2 M
(name conflict with the future extension of this protocol. ) S
0 -209.4 M
1.94759119 0 32 0 0 (Extension-tokens MAY be freely used for any non-standard, private, and/or experimental uses for) A
0 -222.6 M
(those parameters provided that the domain part in the token is appropriately used. ) S
0 -233.6 M
[/View [/XYZ -4 523.4 null] /Dest /87 /DEST pdfmark
0 -233.6 M
[/View [/XYZ -4 523.4 null] /Dest /88 /DEST pdfmark
0 -252.6 M
15 2 Nf
(15.) S
[/View [/XYZ -4 522.4 null] /Dest /197 /DEST pdfmark
( IANA ) S
(Considerations) S
0 -276.8 M
11 0 Nf
2.39960933 0 32 0 0 (When bare-tokens are used for the authentication-algorithm, pwd-hash, and validation parameters) A
0 -290 M
0.544433594 0 32 0 0 (MUST be allocated by IANA. To acquire registered tokens, a specification for the use of such tokens) A
0 -303.2 M
(MUST be available as an RFC, as outlined in ) S
gsave
newpath
202.2 -304.3 M
50.1054688 0 RL
stroke
grestore
([RFC5226]) S
[/Rect [201.21875 -305.95 253.324219 -293.85] /Subtype /Link /Border [0 0 0] /Dest /120 /ANN pdfmark
(. ) S
0 -327.4 M
(Note: More formal declarations will be added in the future drafts to meet the RFC 5226 requirements. ) S
0 -338.4 M
[/View [/XYZ -4 418.599976 null] /Dest /89 /DEST pdfmark
0 -338.4 M
[/View [/XYZ -4 418.599976 null] /Dest /90 /DEST pdfmark
0 -357.4 M
15 2 Nf
(16.) S
[/View [/XYZ -4 417.599976 null] /Dest /198 /DEST pdfmark
( Security ) S
(Considerations) S
0 -364.9 M
[/View [/XYZ -4 392.099976 null] /Dest /91 /DEST pdfmark
0 -364.9 M
[/View [/XYZ -4 392.099976 null] /Dest /92 /DEST pdfmark
0 -383.4 M
13 2 Nf
(16.1.) S
[/View [/XYZ -4 389.199982 null] /Dest /199 /DEST pdfmark
( Security ) S
(Properties) S
11 -404 M
gsave
0 setgray
newpath
11.0 -403.970032 2.75 0 360 arc
closepath
fill
grestore
22 -407.6 M
11 0 Nf
1.03027344 0 32 0 0 (The protocol is secure against passive eavesdropping and replay attacks. However, the protocol) A
22 -420.8 M
1.61490881 0 32 0 0 (relies on transport security including DNS integrity for data secrecy and integrity. HTTP/TLS) A
22 -434 M
(SHOULD be used where transport security is not assured and/or data secrecy is important. ) S
11 -444.6 M
gsave
0 setgray
newpath
11.0 -444.570068 2.75 0 360 arc
closepath
fill
grestore
22 -448.2 M
0.318509609 0 32 0 0 (When used with HTTP/TLS, if TLS server certificates are reliably verified, the protocol provides) A
22 -461.4 M
(true protection against active man-in-the-middle attacks. ) S
11 -472 M
gsave
0 setgray
newpath
11.0 -471.970093 2.75 0 360 arc
closepath
fill
grestore
22 -475.6 M
0.580729187 0 32 0 0 (Even if the server certificate is not used or is unreliable, the protocol provides protection against) A
22 -488.8 M
1.015625 0 32 0 0 (active man-in-the-middle attacks for each HTTP request/response pair. However, in such cases,) A
22 -502 M
0.421223968 0 32 0 0 (JavaScript or similar scripting facilities can be used to affect the Mutually-authenticated contents) A
22 -515.2 M
0.858538 0 32 0 0 (from other contents not protected by this authentication mechanism. This is the reason why this) A
22 -528.4 M
(protocol requires that valid TLS server certificates MUST be presented ) S
(\() S
gsave
newpath
341.4 -529.5 M
41.2382812 0 RL
stroke
grestore
(Section\2407) S
[/Rect [340.433594 -531.150146 383.671875 -519.050171] /Subtype /Link /Border [0 0 0] /Dest /66 /ANN pdfmark
(\). ) S
0 -539.4 M
[/View [/XYZ -4 217.599854 null] /Dest /93 /DEST pdfmark
0 -539.4 M
[/View [/XYZ -4 217.599854 null] /Dest /94 /DEST pdfmark
0 -555 M
13 2 Nf
(16.2.) S
[/View [/XYZ -4 217.599854 null] /Dest /200 /DEST pdfmark
( Denial-of-service Attacks to ) S
(Servers) S
0 -579.2 M
11 0 Nf
0.717529297 0 32 0 0 (The protocol requires a server-side table of active sessions, which may become a critical point of the) A
0 -592.4 M
3.09014416 0 32 0 0 (server resource consumptions. For proper operation, the protocol requires that at least one key) A
0 -605.6 M
0.789963961 0 32 0 0 (verification request is processed for each session identifier. After that, servers MAY discard sessions) A
0 -618.8 M
2.75721145 0 32 0 0 (internally at any time, without causing any operational problems to clients. Clients will silently) A
0 -632 M
(reestablishes a new session then. ) S
0 -632 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 28 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 29 29
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.60997593 0 32 0 0 (However, if a malicious client sends too many requests of key exchanges \(req-KEX-C1 messages\)) A
0 -26.4 M
1.55943084 0 32 0 0 (only, resource starvation might occur. In such critical situations, servers MAY discard any kind of) A
0 -39.6 M
0.661979139 0 32 0 0 (existing sessions regardless of these statuses. One way to mitigate such attacks are that servers MAY) A
0 -52.8 M
0.862304688 0 32 0 0 (have a number and a time limits for unverified pending key exchange requests \(in the "wa received") A
0 -66 M
(status\). ) S
0 -90.2 M
0.291927069 0 32 0 0 (This is a common weakness of authentication protocols with almost any kind of negotiations or states,) A
0 -103.4 M
3.79199219 0 32 0 0 (including Digest authentication method and most Cookie-based authentication implementations.) A
0 -116.6 M
1.49038458 0 32 0 0 (However, regarding the resource consumption, a situation of the mutual authentication method is a) A
0 -129.8 M
0.117745534 0 32 0 0 (slightly better than the Digest, because HTTP requests without any kind of authentication requests will) A
0 -143 M
1.74780273 0 32 0 0 (not generate any kind of sessions. Session identifiers are only generated after a client starts a key) A
0 -156.2 M
3.7232573 0 32 0 0 (negotiation. It means that simple clients such as web crawlers will not accidentally consume) A
0 -169.4 M
(server-side resources for session managements. ) S
0 -180.4 M
[/View [/XYZ -4 576.600037 null] /Dest /95 /DEST pdfmark
0 -180.4 M
[/View [/XYZ -4 576.600037 null] /Dest /96 /DEST pdfmark
0 -196 M
%%IncludeResource: font Times-Bold
13 2 Nf
(16.3.) S
[/View [/XYZ -4 576.600037 null] /Dest /201 /DEST pdfmark
( Implementation ) S
(Considerations) S
11 -216.6 M
gsave
0 setgray
newpath
11.0 -216.569992 2.75 0 360 arc
closepath
fill
grestore
22 -220.2 M
11 0 Nf
0.289772719 0 32 0 0 (To securely implement the protocol, the Authentication-Info headers in the 200-VFY-S messages) A
22 -233.4 M
1.20898438 0 32 0 0 (MUST always be validated by the client. If the validation fails, the client MUST\240NOT process) A
22 -246.6 M
0.270089298 0 32 0 0 (any content sent with the message, including other headers and the body part. Non-compliance to) A
22 -259.8 M
(this requirement will allow phishing attacks. ) S
11 -270.4 M
gsave
0 setgray
newpath
11.0 -270.37 2.75 0 360 arc
closepath
fill
grestore
22 -274 M
1.88151038 0 32 0 0 (The authentication status on the client-side SHOULD be visible to the users of the client. In) A
22 -287.2 M
2.87650251 0 32 0 0 (addition, the method for asking for the user's name and passwords SHOULD be carefully) A
22 -300.4 M
1.18638396 0 32 0 0 (designed so that \(1\) the user can easily distinguish the request from this authentication method) A
22 -313.6 M
2.34263396 0 32 0 0 (from any other authentication methods such as Basic and Digest methods, and \(2\) the Web) A
22 -326.8 M
(contents cannot imitate the user-interfaces for this protocol. ) S
22 -340 M
4.52587891 0 32 0 0 (An informational memo regarding user-interface considerations and recommendations for) A
22 -353.2 M
(implementing this protocol will be separately published. ) S
11 -363.8 M
gsave
0 setgray
newpath
11.0 -363.770081 2.75 0 360 arc
closepath
fill
grestore
22 -367.4 M
2.05703115 0 32 0 0 (For HTTP/TLS communications, when a web form is submitted from Mutually-authenticated) A
22 -380.6 M
1.92944336 0 32 0 0 (pages with the "tls-cert" validation method to a URI that is protected by the same realm \(so) A
22 -393.8 M
0.746875 0 32 0 0 (indicated by the path parameter\), if the server certificate has been changed since the pages were) A
22 -407 M
0.762319684 0 32 0 0 (received, the peer is RECOMMENDED to be revalidated using a req-KEX-C1 message with an) A
22 -420.2 M
1.40384614 0 32 0 0 ("Expect: 100-continue" header. The same applies when the page is received with the "tls-key") A
22 -433.4 M
(validation method, and when the TLS session has expired. ) S
11 -444 M
gsave
0 setgray
newpath
11.0 -443.970154 2.75 0 360 arc
closepath
fill
grestore
22 -447.6 M
1.16346157 0 32 0 0 (Server-side storages of user passwords are advised to contain the values encrypted by one-way) A
22 -460.8 M
(function J\(pi\), instead of the real passwords, those hashed by ph, or pi. ) S
0 -471.8 M
[/View [/XYZ -4 285.199829 null] /Dest /97 /DEST pdfmark
0 -471.8 M
[/View [/XYZ -4 285.199829 null] /Dest /98 /DEST pdfmark
0 -487.4 M
13 2 Nf
(16.4.) S
[/View [/XYZ -4 285.199829 null] /Dest /202 /DEST pdfmark
( Usage ) S
(Considerations) S
11 -508 M
gsave
0 setgray
newpath
11.0 -507.970184 2.75 0 360 arc
closepath
fill
grestore
22 -511.6 M
11 0 Nf
1.49583328 0 32 0 0 (The user-names inputted by a user may be sent automatically to any servers sharing the same) A
22 -524.8 M
2.68131518 0 32 0 0 (auth-domain. This means that when host-type auth-domain is used for authentication on an) A
22 -538 M
0.989118278 0 32 0 0 (HTTPS site, and when an HTTP server on the same host requests Mutual authentication within) A
22 -551.2 M
0.790364563 0 32 0 0 (the same realm, the client will send the user-name in a clear text. If user-names have to be kept) A
22 -564.4 M
3.37890625 0 32 0 0 (secret against eavesdropping, the server must use full-scheme-type auth-domain parameter.) A
22 -577.6 M
(Contrarily, passwords are not exposed to eavesdroppers even on HTTP requests. ) S
11 -588.2 M
gsave
0 setgray
newpath
11.0 -588.170227 2.75 0 360 arc
closepath
fill
grestore
22 -591.8 M
1.196733 0 32 0 0 (The "pwd-hash" parameter is only provided for backward compatibility of password databases.) A
22 -605 M
0.916666687 0 32 0 0 (The use of "none" function is the most secure choice and is RECOMMENDED. If values other) A
22 -618.2 M
0.534667969 0 32 0 0 (than "none" are used, you MUST ensure that the hash values of the passwords were not exposed) A
22 -631.4 M
0.855769217 0 32 0 0 (to the public. Note that hashed password databases for plain-text authentications are usually not) A
22 -644.6 M
(considered secret. ) S
11 -655.2 M
gsave
0 setgray
newpath
11.0 -655.170288 2.75 0 360 arc
closepath
fill
grestore
22 -658.8 M
1.68179083 0 32 0 0 (If the server provides several ways for storing server-side password secrets into the password) A
22 -658.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 29 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 30 30
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.76171875 0 32 0 0 (database, it is advised to store the values encrypted by using the one-way function J\(pi\), instead) A
22 -26.4 M
11 0 Nf
(of the real passwords, those hashed by ph, or pi. ) S
0 -37.4 M
[/View [/XYZ -4 719.6 null] /Dest /99 /DEST pdfmark
0 -37.4 M
[/View [/XYZ -4 719.6 null] /Dest /100 /DEST pdfmark
0 -56.4 M
%%IncludeResource: font Times-Bold
15 2 Nf
(17.) S
[/View [/XYZ -4 718.6 null] /Dest /203 /DEST pdfmark
( Notice on Intellectual ) S
(Properties) S
0 -80.6 M
11 0 Nf
0.270432681 0 32 0 0 (The National Institute of Advanced Industrial Science and Technology \(AIST\) and Yahoo! Japan, Inc.) A
0 -93.8 M
0.311197907 0 32 0 0 (has jointly submitted a patent application on the protocol proposed in this documentation to the Patent) A
0 -107 M
0.125868052 0 32 0 0 (Office of Japan. The patent is intended to be open to any implementors of this protocol and its variants) A
0 -120.2 M
0.2734375 0 32 0 0 (under non-exclusive royalty-free manner. For the details of the patent application and its status, please) A
0 -133.4 M
(contact the author of this document. ) S
0 -157.6 M
1.08359373 0 32 0 0 (The elliptic-curve based authentication algorithms might involve several existing third-party patents.) A
0 -170.8 M
0.114889704 0 32 0 0 (The authors of the document take no position regarding the validity or scope of such patents, and other) A
0 -184 M
(patents as well. ) S
0 -195 M
[/View [/XYZ -4 562.0 null] /Dest /101 /DEST pdfmark
0 -195 M
[/View [/XYZ -4 562.0 null] /Dest /102 /DEST pdfmark
0 -214 M
15 2 Nf
(18.) S
[/View [/XYZ -4 561.0 null] /Dest /204 /DEST pdfmark
( ) S
(References) S
0 -221.5 M
[/View [/XYZ -4 535.5 null] /Dest /103 /DEST pdfmark
0 -240 M
13 2 Nf
(18.1.) S
[/View [/XYZ -4 532.600037 null] /Dest /205 /DEST pdfmark
( Normative ) S
(References) S
8 -267.3 M
11 0 Nf
([I-D.ietf-httpbis-p1-messaging]) S
[/View [/XYZ -4 842 null] /Dest /104 /DEST pdfmark
165.7 -267.3 M
(Fielding, R., Lafon, Y., and J. Reschke, ) S
(\233) S
gsave
newpath
347.5 -268.4 M
78.1992188 0 RL
stroke
grestore
(HTTP/1.1, part 1:) S
[/Rect [346.483337 -270.05 426.682556 -257.949982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p1-messaging-19.txt)] Cd /ANN pdfmark
165.7 -280.5 M
gsave
newpath
165.7 -281.6 M
149.066406 0 RL
stroke
grestore
(URIs, Connections, and Message ) S
gsave
newpath
314.8 -281.6 M
32.9882812 0 RL
stroke
grestore
(Parsing) S
[/Rect [164.729446 -283.25 348.784119 -271.15] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p1-messaging-19.txt)] Cd /ANN pdfmark
(,\234) S
165.7 -293.7 M
(draft-ietf-httpbis-p1-messaging-19 \(work in progress\),) S
165.7 -306.9 M
(March\2402012 ) S
(\() S
gsave
newpath
225.6 -308 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [224.592728 -309.650024 247.971634 -297.550018] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p1-messaging-19.txt)] Cd /ANN pdfmark
(\).) S
8 -328.6 M
([I-D.ietf-httpbis-p7-auth]) S
[/View [/XYZ -4 842 null] /Dest /105 /DEST pdfmark
165.7 -328.6 M
(Fielding, R., Lafon, Y., and J. Reschke, ) S
(\233) S
gsave
newpath
347.5 -329.8 M
80.9492188 0 RL
stroke
grestore
(HTTP/1.1, part 7: ) S
[/Rect [346.483337 -331.4 429.432556 -319.3] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p7-auth-19.txt)] Cd /ANN pdfmark
165.7 -341.9 M
gsave
newpath
165.7 -342.9 M
65.3632812 0 RL
stroke
grestore
(Authentication) S
[/Rect [164.729446 -344.6 232.092728 -332.5] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p7-auth-19.txt)] Cd /ANN pdfmark
(,\234 draft-ietf-httpbis-p7-auth-19 \(work in) S
165.7 -355.1 M
(progress\), March\2402012 ) S
(\() S
gsave
newpath
272 -356.2 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [271.010681 -357.800018 294.389587 -345.7] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p7-auth-19.txt)] Cd /ANN pdfmark
(\).) S
8 -376.8 M
([I-D.oiwa-http-auth-extension]) S
[/View [/XYZ -4 842 null] /Dest /106 /DEST pdfmark
165.7 -376.8 M
(Oiwa, Y., Watanabe, H., Takagi, H., Kihara, B., Hayashi, T.,) S
165.7 -390 M
(and Y. Ioku, ) S
(\233) S
gsave
newpath
228.3 -391.1 M
214.707031 0 RL
stroke
grestore
(HTTP Authentication Extensions for Interactive ) S
[/Rect [227.346634 -392.75 444.05365 -380.65] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-oiwa-http-auth-extension-01.txt)] Cd /ANN pdfmark
165.7 -403.2 M
gsave
newpath
165.7 -404.3 M
31.1601562 0 RL
stroke
grestore
(Clients) S
[/Rect [164.729446 -405.95 197.889603 -393.85] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-oiwa-http-auth-extension-01.txt)] Cd /ANN pdfmark
(,\234 draft-oiwa-http-auth-extension-01 \(work in) S
165.7 -416.4 M
(progress\), ) S
(May\2402012.) S
8 -427.1 M
0.989574254 0.989574254 scale
-0.0 -11.0 RM
([I-D.oiwa-http-mutualauth-algo]) S
[/View [/XYZ -4 842 null] /Dest /107 /DEST pdfmark
1.0105356 1.0105356 scale
165.7 -438.1 M
(Oiwa, Y., Watanabe, H., Takagi, H., Kihara, B., Hayashi, T.,) S
165.7 -451.4 M
(and Y. Ioku, ) S
(\233) S
gsave
newpath
228.3 -452.4 M
188.765625 0 RL
stroke
grestore
(Mutual Authentication Protocol for HTTP:) S
[/Rect [227.346634 -454.1 418.112244 -442.0] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-oiwa-http-mutualauth-algo-02.txt)] Cd /ANN pdfmark
165.7 -464.6 M
gsave
newpath
165.7 -465.7 M
128.894531 0 RL
stroke
grestore
(KAM3-based Cryptographic ) S
gsave
newpath
294.6 -465.7 M
50.0976562 0 RL
stroke
grestore
(Algorithms) S
[/Rect [164.729446 -467.300018 345.721619 -455.2] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-oiwa-http-mutualauth-algo-02.txt)] Cd /ANN pdfmark
(,\234) S
165.7 -477.8 M
(draft-oiwa-http-mutualauth-algo-02 \(work in progress\), ) S
165.7 -491 M
(May\2402012.) S
8 -512.7 M
([RFC2119]) S
[/View [/XYZ -4 842 null] /Dest /108 /DEST pdfmark
165.7 -512.7 M
gsave
newpath
165.7 -513.8 M
40.921875 0 RL
stroke
grestore
(Bradner, ) S
gsave
newpath
206.7 -513.8 M
8.86328125 0 RL
stroke
grestore
(S.) S
(, ) S
(\233) S
gsave
newpath
225.9 -513.8 M
169.523438 0 RL
stroke
grestore
(Key words for use in RFCs to Indicate) S
[/Rect [224.897415 -515.45 396.420837 -503.35] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2119)] Cd /ANN pdfmark
165.7 -525.9 M
gsave
newpath
165.7 -527 M
59.5585938 0 RL
stroke
grestore
(Requirement ) S
gsave
newpath
225.3 -527 M
29.3164062 0 RL
stroke
grestore
(Levels) S
[/Rect [164.729446 -528.65 255.604446 -516.550049] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2119)] Cd /ANN pdfmark
(,\234 BCP\24014, RFC\2402119, March\2401997 ) S
(\() S
gsave
newpath
415.9 -527 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [414.920837 -528.65 438.299744 -516.550049] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2119.txt)] Cd /ANN pdfmark
(, ) S
165.7 -539.1 M
gsave
newpath
165.7 -540.2 M
31.15625 0 RL
stroke
grestore
(HTML) S
[/Rect [164.729446 -541.850037 197.885696 -529.750061] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/html/rfc2119.html)] Cd /ANN pdfmark
(, ) S
gsave
newpath
202.4 -540.2 M
24.4375 0 RL
stroke
grestore
(XML) S
[/Rect [201.385696 -541.850037 227.823196 -529.750061] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/xml/rfc2119.xml)] Cd /ANN pdfmark
(\).) S
8 -560.9 M
([RFC3629]) S
[/View [/XYZ -4 842 null] /Dest /109 /DEST pdfmark
165.7 -560.9 M
(Yergeau, F., ) S
(\233) S
gsave
newpath
227.7 -561.9 M
174.996094 0 RL
stroke
grestore
(UTF-8, a transformation format of ISO ) S
gsave
newpath
402.7 -561.9 M
27.5 0 RL
stroke
grestore
(10646) S
[/Rect [226.72554 -563.6 431.221619 -551.5] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc3629)] Cd /ANN pdfmark
(,\234) S
165.7 -574.1 M
(STD\24063, RFC\2403629, November\2402003 ) S
(\() S
gsave
newpath
334.4 -575.1 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [333.370056 -576.8 356.748962 -564.7] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc3629.txt)] Cd /ANN pdfmark
(\).) S
8 -595.8 M
([RFC4013]) S
[/View [/XYZ -4 842 null] /Dest /110 /DEST pdfmark
165.7 -595.8 M
(Zeilenga, K., ) S
(\233) S
gsave
newpath
230.8 -596.9 M
203.707031 0 RL
stroke
grestore
(SASLprep: Stringprep Profile for User Names) S
[/Rect [229.780228 -598.550049 435.487244 -586.450073] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc4013)] Cd /ANN pdfmark
165.7 -609 M
gsave
newpath
165.7 -610.1 M
18.6328125 0 RL
stroke
grestore
(and ) S
gsave
newpath
184.4 -610.1 M
46.4296875 0 RL
stroke
grestore
(Passwords) S
[/Rect [164.729446 -611.750061 231.791946 -599.650085] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc4013)] Cd /ANN pdfmark
(,\234 RFC\2404013, February\2402005 ) S
(\() S
gsave
newpath
363.1 -610.1 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [362.069275 -611.750061 385.448181 -599.650085] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc4013.txt)] Cd /ANN pdfmark
(\).) S
8 -630.8 M
([RFC4648]) S
[/View [/XYZ -4 842 null] /Dest /111 /DEST pdfmark
165.7 -630.8 M
(Josefsson, S., ) S
(\233) S
gsave
newpath
232.6 -631.9 M
172.882812 0 RL
stroke
grestore
(The Base16, Base32, and Base64 Data ) S
[/Rect [231.627884 -633.5 406.510681 -621.4] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc4648)] Cd /ANN pdfmark
165.7 -644 M
gsave
newpath
165.7 -645 M
46.4335938 0 RL
stroke
grestore
(Encodings) S
[/Rect [164.729446 -646.7 213.16304 -634.600037] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc4648)] Cd /ANN pdfmark
(,\234 RFC\2404648, October\2402006 ) S
(\() S
gsave
newpath
340.2 -645 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [339.163025 -646.7 362.541931 -634.600037] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc4648.txt)] Cd /ANN pdfmark
(\).) S
165.7 -644 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 30 -) S
0 setgray
331.5 -8 M
grestore
pgsave restore N
%%Page: 31 31
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
8 -13 M
%%IncludeResource: font Times-Roman
11 0 Nf
([RFC5234]) S
[/View [/XYZ -4 842 null] /Dest /112 /DEST pdfmark
165.7 -13 M
(Crocker, D. and P. Overell, ) S
(\233) S
gsave
newpath
293.7 -14.1 M
124.328125 0 RL
stroke
grestore
(Augmented BNF for Syntax) S
[/Rect [292.698181 -15.75 419.026306 -3.64999962] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5234)] Cd /ANN pdfmark
165.7 -26.2 M
gsave
newpath
165.7 -27.3 M
68.1054688 0 RL
stroke
grestore
(Specifications: ) S
gsave
newpath
233.8 -27.3 M
29.3320312 0 RL
stroke
grestore
(ABNF) S
[/Rect [164.729446 -28.95 264.166931 -16.85] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5234)] Cd /ANN pdfmark
(,\234 STD\24068, RFC\2405234, January\2402008 ) S
165.7 -39.4 M
(\() S
gsave
newpath
169.4 -40.5 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [168.389603 -42.15 191.768509 -30.0500011] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5234.txt)] Cd /ANN pdfmark
(\).) S
8 -61.1 M
([RFC5246]) S
[/View [/XYZ -4 842 null] /Dest /113 /DEST pdfmark
165.7 -61.1 M
(Dierks, T. and E. Rescorla, ) S
(\233) S
gsave
newpath
292.5 -62.2 M
130.398438 0 RL
stroke
grestore
(The Transport Layer Security) S
[/Rect [291.475525 -63.9 423.873962 -51.8000031] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5246)] Cd /ANN pdfmark
165.7 -74.4 M
gsave
newpath
165.7 -75.5 M
107.203125 0 RL
stroke
grestore
(\(TLS\) Protocol Version ) S
gsave
newpath
272.9 -75.5 M
13.75 0 RL
stroke
grestore
(1.2) S
[/Rect [164.729446 -77.1000061 287.682556 -65.0000076] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5246)] Cd /ANN pdfmark
(,\234 RFC\2405246, August\2402008 ) S
(\() S
gsave
newpath
411 -75.5 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [410.034119 -77.1000061 433.413025 -65.0000076] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5246.txt)] Cd /ANN pdfmark
(\).) S
0 -94.1 M
[/View [/XYZ -4 662.9 null] /Dest /114 /DEST pdfmark
0 -109.7 M
%%IncludeResource: font Times-Bold
13 2 Nf
(18.2.) S
[/View [/XYZ -4 662.9 null] /Dest /206 /DEST pdfmark
( Informative ) S
(References) S
8 -126 M
0.989499211 0.989499211 scale
-0.0 -11.0 RM
11 0 Nf
([I-D.ietf-precis-framework]) S
[/View [/XYZ -4 842 null] /Dest /115 /DEST pdfmark
1.01061225 1.01061225 scale
144.5 -137 M
(Saint-Andre, P. and M. Blanchet, ) S
(\233) S
gsave
newpath
298.8 -138.1 M
93.7773438 0 RL
stroke
grestore
(PRECIS Framework:) S
[/Rect [297.775635 -139.75 393.552979 -127.65] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-precis-framework-03.txt)] Cd /ANN pdfmark
144.5 -150.2 M
gsave
newpath
144.5 -151.3 M
260.222656 0 RL
stroke
grestore
(Preparation and Comparison of Internationalized Strings in) S
[/Rect [143.525635 -152.95 405.748291 -140.849991] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-precis-framework-03.txt)] Cd /ANN pdfmark
144.5 -163.4 M
gsave
newpath
144.5 -164.5 M
54.6757812 0 RL
stroke
grestore
(Application ) S
gsave
newpath
199.2 -164.5 M
41.5429688 0 RL
stroke
grestore
(Protocols) S
[/Rect [143.525635 -166.15 241.744385 -154.049988] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-precis-framework-03.txt)] Cd /ANN pdfmark
(,\234 draft-ietf-precis-framework-03 \(work in) S
144.5 -176.6 M
(progress\), May\2402012 ) S
(\() S
gsave
newpath
242.3 -177.7 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [241.263916 -179.349991 264.642822 -167.249985] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-precis-framework-03.txt)] Cd /ANN pdfmark
(\).) S
8 -198.3 M
([ISO.10646-1.1993]) S
[/View [/XYZ -4 842 null] /Dest /116 /DEST pdfmark
144.5 -198.3 M
(International Organization for Standardization, \233Information) S
144.5 -211.6 M
(Technology - Universal Multiple-octet coded Character Set \(UCS\)) S
144.5 -224.8 M
(- Part 1: Architecture and Basic Multilingual Plane,\234 ISO\240Standard) S
144.5 -238 M
(10646-1, ) S
(May\2401993.) S
8 -259.7 M
([ITU.X690.1994]) S
[/View [/XYZ -4 842 null] /Dest /117 /DEST pdfmark
144.5 -259.7 M
(International Telecommunications Union, \233Information) S
144.5 -272.9 M
(Technology - ASN.1 encoding rules: Specification of Basic) S
144.5 -286.1 M
(Encoding Rules \(BER\), Canonical Encoding Rules \(CER\) and) S
144.5 -299.3 M
(Distinguished Encoding Rules \(DER\),\234 ITU-T\240Recommendation) S
144.5 -312.5 M
(X.690, ) S
(1994.) S
8 -334.2 M
([RFC2617]) S
[/View [/XYZ -4 842 null] /Dest /118 /DEST pdfmark
144.5 -334.2 M
gsave
newpath
144.5 -335.4 M
35.4335938 0 RL
stroke
grestore
(Franks, ) S
gsave
newpath
180 -335.4 M
7.02734375 0 RL
stroke
grestore
(J.) S
(, ) S
gsave
newpath
192.5 -335.4 M
67.7929688 0 RL
stroke
grestore
(Hallam-Baker, ) S
gsave
newpath
260.3 -335.4 M
8.86328125 0 RL
stroke
grestore
(P.) S
(, ) S
gsave
newpath
274.6 -335.4 M
45.8085938 0 RL
stroke
grestore
(Hostetler, ) S
gsave
newpath
320.5 -335.4 M
7.02734375 0 RL
stroke
grestore
(J.) S
(, ) S
gsave
newpath
333 -335.4 M
48.8515625 0 RL
stroke
grestore
(Lawrence, ) S
gsave
newpath
381.8 -335.4 M
8.86328125 0 RL
stroke
grestore
(S.) S
(, ) S
gsave
newpath
396.2 -335.4 M
32.3671875 0 RL
stroke
grestore
(Leach, ) S
gsave
newpath
428.6 -335.4 M
8.86328125 0 RL
stroke
grestore
(P.) S
(,) S
144.5 -347.5 M
(Luotonen, A., and ) S
gsave
newpath
227 -348.6 M
12.21875 0 RL
stroke
grestore
(L. ) S
gsave
newpath
239.2 -348.6 M
33.5898438 0 RL
stroke
grestore
(Stewart) S
(, ) S
(\233) S
gsave
newpath
283.2 -348.6 M
144.476562 0 RL
stroke
grestore
(HTTP Authentication: Basic and) S
[/Rect [282.19751 -350.2 428.674072 -338.1] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2617)] Cd /ANN pdfmark
144.5 -360.7 M
gsave
newpath
144.5 -361.8 M
65.3554688 0 RL
stroke
grestore
(Digest Access ) S
gsave
newpath
209.9 -361.8 M
65.3632812 0 RL
stroke
grestore
(Authentication) S
[/Rect [143.525635 -363.400024 276.244385 -351.300018] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2617)] Cd /ANN pdfmark
(,\234 RFC\2402617, June\2401999 ) S
(\() S
gsave
newpath
388 -361.8 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [386.982666 -363.400024 410.361572 -351.300018] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2617.txt)] Cd /ANN pdfmark
(, ) S
144.5 -373.9 M
gsave
newpath
144.5 -375 M
31.15625 0 RL
stroke
grestore
(HTML) S
[/Rect [143.525635 -376.600037 176.681885 -364.500031] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/html/rfc2617.html)] Cd /ANN pdfmark
(, ) S
gsave
newpath
181.2 -375 M
24.4375 0 RL
stroke
grestore
(XML) S
[/Rect [180.181885 -376.600037 206.619385 -364.500031] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/xml/rfc2617.xml)] Cd /ANN pdfmark
(\).) S
8 -395.6 M
([RFC2818]) S
[/View [/XYZ -4 842 null] /Dest /119 /DEST pdfmark
144.5 -395.6 M
(Rescorla, E., ) S
(\233) S
gsave
newpath
208.4 -396.7 M
54.9765625 0 RL
stroke
grestore
(HTTP Over ) S
gsave
newpath
263.3 -396.7 M
19.5507812 0 RL
stroke
grestore
(TLS) S
[/Rect [207.35376 -398.35 283.881104 -386.25] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2818)] Cd /ANN pdfmark
(,\234 RFC\2402818, May\2402000 ) S
(\() S
gsave
newpath
395.6 -396.7 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [394.619385 -398.35 417.998291 -386.25] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2818.txt)] Cd /ANN pdfmark
(\).) S
8 -417.4 M
([RFC5226]) S
[/View [/XYZ -4 842 null] /Dest /120 /DEST pdfmark
144.5 -417.4 M
(Narten, T. and H. Alvestrand, ) S
(\233) S
gsave
newpath
282.9 -418.4 M
143.542969 0 RL
stroke
grestore
(Guidelines for Writing an IANA) S
[/Rect [281.877197 -420.1 427.420166 -408.0] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5226)] Cd /ANN pdfmark
144.5 -430.6 M
gsave
newpath
144.5 -431.7 M
115.773438 0 RL
stroke
grestore
(Considerations Section in ) S
gsave
newpath
260.3 -431.7 M
25.0625 0 RL
stroke
grestore
(RFCs) S
[/Rect [143.525635 -433.300018 286.361572 -421.2] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5226)] Cd /ANN pdfmark
(,\234 BCP\24026, RFC\2405226, May\2402008 ) S
144.5 -443.8 M
(\() S
gsave
newpath
148.2 -444.9 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [147.185791 -446.500031 170.564697 -434.400024] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5226.txt)] Cd /ANN pdfmark
(\).) S
8 -465.5 M
([RFC5280]) S
[/View [/XYZ -4 842 null] /Dest /121 /DEST pdfmark
144.5 -465.5 M
(Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and) S
144.5 -478.7 M
(W. Polk, ) S
(\233) S
gsave
newpath
191 -479.8 M
246.441406 0 RL
stroke
grestore
(Internet X.509 Public Key Infrastructure Certificate and) S
[/Rect [189.959229 -481.45 438.400635 -469.35] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5280)] Cd /ANN pdfmark
144.5 -491.9 M
gsave
newpath
144.5 -493 M
153.316406 0 RL
stroke
grestore
(Certificate Revocation List \(CRL\) ) S
gsave
newpath
297.8 -493 M
29.9257812 0 RL
stroke
grestore
(Profile) S
[/Rect [143.525635 -494.650024 328.767822 -482.550018] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5280)] Cd /ANN pdfmark
(,\234 RFC\2405280, May\2402008 ) S
144.5 -505.1 M
(\() S
gsave
newpath
148.2 -506.2 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [147.185791 -507.850037 170.564697 -495.750031] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5280.txt)] Cd /ANN pdfmark
(\).) S
8 -526.9 M
([RFC5890]) S
[/View [/XYZ -4 842 null] /Dest /122 /DEST pdfmark
144.5 -526.9 M
(Klensin, J., ) S
(\233) S
gsave
newpath
201.6 -527.9 M
220.503906 0 RL
stroke
grestore
(Internationalized Domain Names for Applications) S
[/Rect [200.646729 -529.6 423.150635 -517.5] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5890)] Cd /ANN pdfmark
144.5 -540.1 M
gsave
newpath
144.5 -541.1 M
160.039062 0 RL
stroke
grestore
(\(IDNA\): Definitions and Document ) S
gsave
newpath
304.6 -541.1 M
50.6953125 0 RL
stroke
grestore
(Framework) S
[/Rect [143.525635 -542.8 356.26 -530.7] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5890)] Cd /ANN pdfmark
(,\234 RFC\2405890,) S
144.5 -553.3 M
(August\2402010 ) S
(\() S
gsave
newpath
207.5 -554.4 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [206.459229 -556.0 229.838135 -543.9] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5890.txt)] Cd /ANN pdfmark
(\).) S
8 -575 M
([RFC5929]) S
[/View [/XYZ -4 842 null] /Dest /123 /DEST pdfmark
144.5 -575 M
(Altman, J., Williams, N., and L. Zhu, ) S
(\233) S
gsave
newpath
316.5 -576.1 M
97.4492188 0 RL
stroke
grestore
(Channel Bindings for ) S
gsave
newpath
414 -576.1 M
19.5507812 0 RL
stroke
grestore
(TLS) S
[/Rect [315.502197 -577.75 434.502197 -565.65] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5929)] Cd /ANN pdfmark
(,\234) S
144.5 -588.2 M
(RFC\2405929, July\2402010 ) S
(\() S
gsave
newpath
245.1 -589.3 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [244.052979 -590.95 267.431885 -578.850037] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5929.txt)] Cd /ANN pdfmark
(\).) S
8 -610 M
([RFC6265]) S
[/View [/XYZ -4 842 null] /Dest /124 /DEST pdfmark
144.5 -610 M
(Barth, A., ) S
(\233) S
gsave
newpath
195.5 -611 M
115.148438 0 RL
stroke
grestore
(HTTP State Management ) S
gsave
newpath
310.7 -611 M
51.3125 0 RL
stroke
grestore
(Mechanism) S
[/Rect [194.533447 -612.7 362.994385 -600.600037] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc6265)] Cd /ANN pdfmark
(,\234 RFC\2406265,) S
144.5 -623.2 M
(April\2402011 ) S
(\() S
gsave
newpath
198.9 -624.2 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [197.896729 -625.9 221.275635 -613.800049] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc6265.txt)] Cd /ANN pdfmark
(\).) S
0 -631.9 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 31 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 32 32
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /125 /DEST pdfmark
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /126 /DEST pdfmark
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(Appendix) S
[/View [/XYZ -4 757.0 null] /Dest /207 /DEST pdfmark
( A. \(Informative\) Draft Remarks from ) S
(Authors) S
0 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The following items are currently under consideration for future revisions by the authors. ) S
11 -62.8 M
gsave
0 setgray
newpath
11.0 -62.77 2.75 0 360 arc
closepath
fill
grestore
22 -66.4 M
(Whether to keep TLS-key validation or not. ) S
11 -77 M
gsave
0 setgray
newpath
11.0 -76.97 2.75 0 360 arc
closepath
fill
grestore
22 -80.6 M
0.371419281 0 32 0 0 (When keeping tls-key validation, whether to use ) A
gsave
newpath
240.2 -81.7 M
64.4811172 0 RL
stroke
grestore
0.371419281 0 32 0 0 ("TLS channel ) A
gsave
newpath
304.7 -81.7 M
38.09375 0 RL
stroke
grestore
0.371419281 0 32 0 0 (binding") A
[/Rect [239.234375 -83.3500061 343.808594 -71.2500076] /Subtype /Link /Border [0 0 0] /Dest /123 /ANN pdfmark
0.371419281 0 32 0 0 ( [RFC5929] for "tls-key") A
22 -93.8 M
4.10390615 0 32 0 0 (verification ) A
4.10390615 0 32 0 0 (\() A
gsave
newpath
83.2 -94.9 M
41.2382812 0 RL
stroke
grestore
4.10390615 0 32 0 0 (Section\2407) A
[/Rect [82.1992188 -96.55 125.4375 -84.4500046] /Subtype /Link /Border [0 0 0] /Dest /66 /ANN pdfmark
4.10390615 0 32 0 0 (\). Note that existing TLS implementations should be considered to) A
22 -107 M
(determine this. ) S
11 -117.6 M
gsave
0 setgray
newpath
11.0 -117.57 2.75 0 360 arc
closepath
fill
grestore
22 -121.2 M
4.03466797 0 32 0 0 (Adopt ) A
gsave
newpath
56.3 -122.3 M
121.804688 0 RL
stroke
grestore
4.03466797 0 32 0 0 ([I-D.ietf-precis-framework]) A
[/Rect [55.2773438 -123.95 179.082031 -111.85] /Subtype /Link /Border [0 0 0] /Dest /115 /ANN pdfmark
4.03466797 0 32 0 0 ( for replacing SASLprep reference. Especially, use NFC) A
22 -134.4 M
(canonicalization instead of NFKC. ) S
11 -145 M
gsave
0 setgray
newpath
11.0 -144.97 2.75 0 360 arc
closepath
fill
grestore
22 -148.6 M
(Adding test vectors for ensuring implementation correctness. ) S
11 -159.2 M
gsave
0 setgray
newpath
11.0 -159.17 2.75 0 360 arc
closepath
fill
grestore
22 -162.8 M
0.00931490399 0 32 0 0 (Possibly adding a method for servers to detect availability of Mutual authentication on client-side. ) A
11 -173.4 M
gsave
0 setgray
newpath
11.0 -173.37 2.75 0 360 arc
closepath
fill
grestore
22 -177 M
(Possible support for optional key renewal and cross-site federated ) S
(authentication.) S
0 -188 M
[/View [/XYZ -4 569.0 null] /Dest /127 /DEST pdfmark
0 -188 M
[/View [/XYZ -4 569.0 null] /Dest /128 /DEST pdfmark
0 -207 M
15 2 Nf
(Appendix) S
[/View [/XYZ -4 568.0 null] /Dest /208 /DEST pdfmark
( B. \(Informative\) Draft Change ) S
(Log) S
0 -214.5 M
[/View [/XYZ -4 542.5 null] /Dest /129 /DEST pdfmark
0 -214.5 M
[/View [/XYZ -4 542.5 null] /Dest /130 /DEST pdfmark
0 -237 M
15 2 Nf
(B.1.) S
[/View [/XYZ -4 538.0 null] /Dest /209 /DEST pdfmark
( Changes in Revision ) S
(11) S
11 -257.6 M
gsave
0 setgray
newpath
11.0 -257.569977 2.75 0 360 arc
closepath
fill
grestore
22 -261.2 M
11 0 Nf
0.15182291 0 32 0 0 (Message syntax definition reverted to pre-07 style as httpbis-p1 and p7 now defines a precise rule) A
22 -274.4 M
(for parameter value parsing. ) S
11 -285 M
gsave
0 setgray
newpath
11.0 -284.97 2.75 0 360 arc
closepath
fill
grestore
22 -288.6 M
0.790234387 0 32 0 0 (Replaced "stale" parameter with more infomative/extensive "reason" parameter in 401-INIT and) A
22 -301.8 M
(401-STALE. ) S
11 -312.4 M
gsave
0 setgray
newpath
11.0 -312.370026 2.75 0 360 arc
closepath
fill
grestore
22 -316 M
(Reserved "rekey-sid" and "rekey-method" parameters for future extensions. ) S
11 -326.6 M
gsave
0 setgray
newpath
11.0 -326.570038 2.75 0 360 arc
closepath
fill
grestore
22 -330.2 M
(Added descriptions for replacing/non-replacing existing ) S
(technologies.) S
0 -341.2 M
[/View [/XYZ -4 415.799957 null] /Dest /131 /DEST pdfmark
0 -341.2 M
[/View [/XYZ -4 415.799957 null] /Dest /132 /DEST pdfmark
0 -360.2 M
15 2 Nf
(B.2.) S
[/View [/XYZ -4 414.799957 null] /Dest /210 /DEST pdfmark
( Changes in Revision ) S
(10) S
11 -380.8 M
gsave
0 setgray
newpath
11.0 -380.77005 2.75 0 360 arc
closepath
fill
grestore
22 -384.4 M
11 0 Nf
0.0503472239 0 32 0 0 (The authentication extension parts \(non-mandatory authentication and authentication controls\) are) A
22 -397.6 M
(separated to yet another draft. ) S
11 -408.2 M
gsave
0 setgray
newpath
11.0 -408.170074 2.75 0 360 arc
closepath
fill
grestore
22 -411.8 M
2.37890625 0 32 0 0 (The default auth-domain parameter is changed to the full scheme-host-port syntax, which is) A
22 -425 M
(consistent with usual HTTP authentication framework behavior. ) S
11 -435.6 M
gsave
0 setgray
newpath
11.0 -435.570099 2.75 0 360 arc
closepath
fill
grestore
22 -439.2 M
(Provision for application channel binding is added. ) S
11 -449.8 M
gsave
0 setgray
newpath
11.0 -449.770111 2.75 0 360 arc
closepath
fill
grestore
22 -453.4 M
(Provision for proxy access authentication is added. ) S
11 -464 M
gsave
0 setgray
newpath
11.0 -463.970123 2.75 0 360 arc
closepath
fill
grestore
22 -467.6 M
2.36467624 0 32 0 0 (Bug fix: syntax specification of sid parameter was wrong: it was inconsistent with the type) A
22 -480.8 M
(specified in the main text \(the bug introduced in -07 draft\). ) S
11 -491.4 M
gsave
0 setgray
newpath
11.0 -491.370148 2.75 0 360 arc
closepath
fill
grestore
22 -495 M
3.10798 0 32 0 0 (Terminologies for headers are changed to be in harmony with httpbis drafts \(e.g. field to) A
22 -508.2 M
(parameter\). ) S
11 -518.8 M
gsave
0 setgray
newpath
11.0 -518.770142 2.75 0 360 arc
closepath
fill
grestore
22 -522.4 M
0.572115362 0 32 0 0 (Syntax definitions are changed to use HTTP-extended ABNF syntax, and only the header values) A
22 -535.6 M
(are shown for header syntax, in harmony with httpbis drafts. ) S
11 -546.2 M
gsave
0 setgray
newpath
11.0 -546.170166 2.75 0 360 arc
closepath
fill
grestore
22 -549.8 M
4.2080965 0 32 0 0 (Names of parameters and corresponding mathematical values are now renamed to more) A
22 -563 M
(informative ones. The following list shows correspondence between the new and the old names. ) S
74.5 -591.3 M
11 2 Nf
(new ) S
(name) S
130.2 -591.3 M
11 2 Nf
(old ) S
(name) S
179.4 -591.3 M
11 2 Nf
(description) S
74.5 -611.1 M
11 0 Nf
(S) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(S) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
0.0 -2.2 RM
130.2 -611.1 M
11 0 Nf
(s) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(a) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(s) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(b) S
0.0 2.2 RM
1.5 0.0 RM
0.0 -2.2 RM
179.4 -612.2 M
11 0 Nf
(client/server-side secret ) S
(randoms) S
74.5 -633 M
11 0 Nf
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
0.0 -2.2 RM
130.2 -633 M
11 0 Nf
(w) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(a) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(w) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(b) S
0.0 2.2 RM
1.5 0.0 RM
0.0 -2.2 RM
179.4 -634.1 M
11 0 Nf
(client/server-side exchanged key ) S
(components) S
74.5 -655 M
(kc1, ) S
(ks1) S
130.2 -655 M
(wa, ) S
(wb) S
179.4 -655 M
(parameter names for ) S
(those) S
179.4 -655 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 32 -) S
0 setgray
358.7 -8 M
grestore
pgsave restore N
%%Page: 33 33
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
74.5 -14 M
%%IncludeResource: font Times-Roman
11 0 Nf
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s) S
0.0 2.2 RM
1.5 0.0 RM
0.0 -2.2 RM
130.2 -14 M
11 0 Nf
(o) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(a) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(o) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(b) S
0.0 2.2 RM
1.5 0.0 RM
0.0 -2.2 RM
179.4 -15.1 M
11 0 Nf
(client/server-side key ) S
(verifiers) S
74.5 -36 M
(vkc, ) S
(vks) S
130.2 -36 M
(oa, ) S
(ob) S
179.4 -36 M
(parameter names for ) S
(those) S
74.5 -55.7 M
(z) S
130.2 -55.7 M
(z) S
179.4 -55.7 M
(session ) S
(secrets) S
0 -72.5 M
[/View [/XYZ -4 684.55 null] /Dest /133 /DEST pdfmark
0 -72.5 M
[/View [/XYZ -4 684.55 null] /Dest /134 /DEST pdfmark
0 -91.5 M
%%IncludeResource: font Times-Bold
15 2 Nf
(B.3.) S
[/View [/XYZ -4 683.55 null] /Dest /211 /DEST pdfmark
( Changes in Revision ) S
(09) S
11 -112 M
gsave
0 setgray
newpath
11.0 -112.02 2.75 0 360 arc
closepath
fill
grestore
22 -115.6 M
11 0 Nf
(The \(default\) cryptographic algorithms are separated to another draft. ) S
11 -126.2 M
gsave
0 setgray
newpath
11.0 -126.219994 2.75 0 360 arc
closepath
fill
grestore
22 -129.8 M
0.865104139 0 32 0 0 (Names of the messages are changed to more informative ones than before. The following is the) A
22 -143 M
(correspondence table of those ) S
(names:) S
49.7 -171.3 M
11 2 Nf
(new ) S
(name) S
140 -171.3 M
11 2 Nf
(old ) S
(name) S
221.3 -171.3 M
11 2 Nf
(description) S
49.7 -191.1 M
11 0 Nf
(401-INIT) S
140 -191.1 M
(401-B0) S
221.3 -191.1 M
(initial ) S
(response) S
49.7 -210.8 M
(401-STALE) S
140 -210.8 M
(401-B0-stale) S
221.3 -210.8 M
(session key ) S
(expired) S
49.7 -230.6 M
(req-KEX-C1) S
140 -230.6 M
(req-A1) S
221.3 -230.6 M
(client->server key ) S
(exchange) S
49.7 -250.3 M
(401-KEX-S1) S
140 -250.3 M
(401-B1) S
221.3 -250.3 M
(server->client key ) S
(exchange) S
49.7 -270.1 M
(req-VFY-C) S
140 -270.1 M
(req-A3) S
221.3 -270.1 M
(client->server auth. ) S
(verification) S
49.7 -289.8 M
(200-VFY-S) S
140 -289.8 M
(200-B4) S
221.3 -289.8 M
(server->client auth. ) S
(verification) S
49.7 -309.6 M
(200-Optional-INIT) S
140 -309.6 M
(200-Optional-B0) S
221.3 -309.6 M
(initial with non-mandatory ) S
(authentication) S
0 -326.3 M
[/View [/XYZ -4 430.650024 null] /Dest /135 /DEST pdfmark
0 -326.3 M
[/View [/XYZ -4 430.650024 null] /Dest /136 /DEST pdfmark
0 -345.3 M
15 2 Nf
(B.4.) S
[/View [/XYZ -4 429.650024 null] /Dest /212 /DEST pdfmark
( Changes in Revision ) S
(08) S
11 -365.9 M
gsave
0 setgray
newpath
11.0 -365.919983 2.75 0 360 arc
closepath
fill
grestore
22 -369.6 M
11 0 Nf
(The English text has been revised. ) S
0 -380.6 M
[/View [/XYZ -4 376.45 null] /Dest /137 /DEST pdfmark
0 -380.6 M
[/View [/XYZ -4 376.45 null] /Dest /138 /DEST pdfmark
0 -399.6 M
15 2 Nf
(B.5.) S
[/View [/XYZ -4 375.45 null] /Dest /213 /DEST pdfmark
( Changes in Revision ) S
(07) S
11 -420.1 M
gsave
0 setgray
newpath
11.0 -420.12 2.75 0 360 arc
closepath
fill
grestore
22 -423.8 M
11 0 Nf
(Adapt to httpbis HTTP/1.1 drafts: ) S
33 -434.3 M
gsave
0 setgray
newpath
33.0 -434.32 2.75 0 360 arc
closepath
stroke
grestore
44 -437.9 M
(Changed definition of extensive-token. ) S
33 -448.5 M
gsave
0 setgray
newpath
33.0 -448.52002 2.75 0 360 arc
closepath
stroke
grestore
44 -452.2 M
(LWSP continuation-line \(%0D.0A.20\) ) S
(deprecated.) S
11 -462.7 M
gsave
0 setgray
newpath
11.0 -462.720032 2.75 0 360 arc
closepath
fill
grestore
22 -466.4 M
2.78605771 0 32 0 0 (To simplify the whole spec, the type of nonce-counter related parameters are change from) A
22 -479.6 M
(hex-integer to integer. ) S
11 -490.1 M
gsave
0 setgray
newpath
11.0 -490.120056 2.75 0 360 arc
closepath
fill
grestore
22 -493.8 M
(Algorithm tokens are renamed to include names of hash algorithms. ) S
11 -504.3 M
gsave
0 setgray
newpath
11.0 -504.320068 2.75 0 360 arc
closepath
fill
grestore
22 -508 M
(Clarified the session management, added details of server-side protocol decisions. ) S
11 -518.5 M
gsave
0 setgray
newpath
11.0 -518.520081 2.75 0 360 arc
closepath
fill
grestore
22 -522.2 M
(The whole draft was reorganized; introduction and overview has been rewritten. ) S
0 -533.2 M
[/View [/XYZ -4 223.849915 null] /Dest /139 /DEST pdfmark
0 -533.2 M
[/View [/XYZ -4 223.849915 null] /Dest /140 /DEST pdfmark
0 -552.2 M
15 2 Nf
(B.6.) S
[/View [/XYZ -4 222.849915 null] /Dest /214 /DEST pdfmark
( Changes in Revision ) S
(06) S
11 -572.7 M
gsave
0 setgray
newpath
11.0 -572.720093 2.75 0 360 arc
closepath
fill
grestore
22 -576.4 M
11 0 Nf
(Integrated Optional Mutual Authentication to the main part. ) S
11 -586.9 M
gsave
0 setgray
newpath
11.0 -586.920105 2.75 0 360 arc
closepath
fill
grestore
22 -590.6 M
(Clarified the decision procedure for message recognitions. ) S
11 -601.1 M
gsave
0 setgray
newpath
11.0 -601.120117 2.75 0 360 arc
closepath
fill
grestore
22 -604.8 M
2.05649042 0 32 0 0 (Clarified that a new authentication request for any sub-requests in interactive clients may be) A
22 -618 M
(silently discarded. ) S
11 -628.5 M
gsave
0 setgray
newpath
11.0 -628.520142 2.75 0 360 arc
closepath
fill
grestore
22 -632.2 M
(Typos and confusing phrases are fixed. ) S
11 -642.7 M
gsave
0 setgray
newpath
11.0 -642.720154 2.75 0 360 arc
closepath
fill
grestore
22 -646.4 M
(Several "future considerations" are ) S
(added.) S
0 -646.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 33 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 34 34
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /141 /DEST pdfmark
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /142 /DEST pdfmark
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(B.7.) S
[/View [/XYZ -4 757.0 null] /Dest /215 /DEST pdfmark
( Changes in Revision ) S
(05) S
11 -38.6 M
gsave
0 setgray
newpath
11.0 -38.57 2.75 0 360 arc
closepath
fill
grestore
22 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.64753604 0 32 0 0 (A new parameter called "version" is added for supporting future incompatible changes with a) A
22 -55.4 M
(single implementation. In the \(first\) final specification its value will be changed to 1. ) S
11 -66 M
gsave
0 setgray
newpath
11.0 -65.97 2.75 0 360 arc
closepath
fill
grestore
22 -69.6 M
4.55546856 0 32 0 0 (A new header "Authentication-Control" is added for precise control of application-level) A
22 -82.8 M
(authentication ) S
(behavior.) S
0 -93.8 M
[/View [/XYZ -4 663.2 null] /Dest /143 /DEST pdfmark
0 -93.8 M
[/View [/XYZ -4 663.2 null] /Dest /144 /DEST pdfmark
0 -112.8 M
15 2 Nf
(B.8.) S
[/View [/XYZ -4 662.2 null] /Dest /216 /DEST pdfmark
( Changes in Revision ) S
(04) S
11 -133.4 M
gsave
0 setgray
newpath
11.0 -133.37001 2.75 0 360 arc
closepath
fill
grestore
22 -137 M
11 0 Nf
0.166145831 0 32 0 0 (Changed text of patent licenses: the phrase "once the protocol is accepted as an Internet standard") A
22 -150.2 M
(is removed so that the sentence also covers the draft versions of this protocol. ) S
11 -160.8 M
gsave
0 setgray
newpath
11.0 -160.77 2.75 0 360 arc
closepath
fill
grestore
22 -164.4 M
(The "tls-key" verification is now OPTIONAL. ) S
11 -175 M
gsave
0 setgray
newpath
11.0 -174.97 2.75 0 360 arc
closepath
fill
grestore
22 -178.6 M
(Several description fixes and ) S
(clarifications.) S
0 -189.6 M
[/View [/XYZ -4 567.4 null] /Dest /145 /DEST pdfmark
0 -189.6 M
[/View [/XYZ -4 567.4 null] /Dest /146 /DEST pdfmark
0 -208.6 M
15 2 Nf
(B.9.) S
[/View [/XYZ -4 566.4 null] /Dest /217 /DEST pdfmark
( Changes in Revision ) S
(03) S
11 -229.2 M
gsave
0 setgray
newpath
11.0 -229.17 2.75 0 360 arc
closepath
fill
grestore
22 -232.8 M
11 0 Nf
0.957465291 0 32 0 0 (Wildcard domain specifications \(e.g. "*.example.com"\) are allowed for auth-domain parameters ) A
22 -246 M
(\() S
gsave
newpath
25.7 -247.1 M
49.4882812 0 RL
stroke
grestore
(Section\2404.1) S
[/Rect [24.6601562 -248.749985 76.1484375 -236.649979] /Subtype /Link /Border [0 0 0] /Dest /50 /ANN pdfmark
(\). ) S
11 -256.6 M
gsave
0 setgray
newpath
11.0 -256.569977 2.75 0 360 arc
closepath
fill
grestore
22 -260.2 M
(Specification of the "tls-cert" verification is updated \(incompatible change\). ) S
11 -270.8 M
gsave
0 setgray
newpath
11.0 -270.77 2.75 0 360 arc
closepath
fill
grestore
22 -274.4 M
(State transitions fixed. ) S
11 -285 M
gsave
0 setgray
newpath
11.0 -284.97 2.75 0 360 arc
closepath
fill
grestore
22 -288.6 M
11 0 Nf
(Requirements for servers concerning ) S
(w) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(a) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( values are clarified. ) S
0.0 -2.2 RM
11 -301.4 M
gsave
0 setgray
newpath
11.0 -301.370026 2.75 0 360 arc
closepath
fill
grestore
22 -305 M
(RFC references are ) S
(updated.) S
0 -316 M
[/View [/XYZ -4 440.999969 null] /Dest /147 /DEST pdfmark
0 -316 M
[/View [/XYZ -4 440.999969 null] /Dest /148 /DEST pdfmark
0 -335 M
15 2 Nf
(B.10.) S
[/View [/XYZ -4 439.999969 null] /Dest /218 /DEST pdfmark
( Changes in Revision ) S
(02) S
11 -355.6 M
gsave
0 setgray
newpath
11.0 -355.570038 2.75 0 360 arc
closepath
fill
grestore
22 -359.2 M
11 0 Nf
(Auth-realm is extended to allow full-scheme type. ) S
11 -369.8 M
gsave
0 setgray
newpath
11.0 -369.77005 2.75 0 360 arc
closepath
fill
grestore
22 -373.4 M
(A decision diagram for clients and decision procedures for servers are added. ) S
11 -384 M
gsave
0 setgray
newpath
11.0 -383.970062 2.75 0 360 arc
closepath
fill
grestore
22 -387.6 M
(401-B1 and req-A3 messages are changed to contain authentication realm information. ) S
11 -398.2 M
gsave
0 setgray
newpath
11.0 -398.170074 2.75 0 360 arc
closepath
fill
grestore
22 -401.8 M
11 0 Nf
(Bugs on equations for ) S
(o) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(A) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( and ) S
(o) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(B) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( are fixed. ) S
0.0 -2.2 RM
11 -414.6 M
gsave
0 setgray
newpath
11.0 -414.570099 2.75 0 360 arc
closepath
fill
grestore
22 -418.2 M
(Detailed equations for the entire algorithm are included. ) S
11 -428.8 M
gsave
0 setgray
newpath
11.0 -428.770111 2.75 0 360 arc
closepath
fill
grestore
22 -432.4 M
(Elliptic-curve algorithms are updated. ) S
11 -443 M
gsave
0 setgray
newpath
11.0 -442.970123 2.75 0 360 arc
closepath
fill
grestore
22 -446.6 M
(Several clarifications and other minor ) S
(updates.) S
0 -457.6 M
[/View [/XYZ -4 299.399872 null] /Dest /149 /DEST pdfmark
0 -457.6 M
[/View [/XYZ -4 299.399872 null] /Dest /150 /DEST pdfmark
0 -476.6 M
15 2 Nf
(B.11.) S
[/View [/XYZ -4 298.399872 null] /Dest /219 /DEST pdfmark
( Changes in Revision ) S
(01) S
11 -497.2 M
gsave
0 setgray
newpath
11.0 -497.170135 2.75 0 360 arc
closepath
fill
grestore
22 -500.8 M
11 0 Nf
(Several texts are rewritten for clarification. ) S
11 -511.4 M
gsave
0 setgray
newpath
11.0 -511.370148 2.75 0 360 arc
closepath
fill
grestore
22 -515 M
(Added several security consideration ) S
(clauses.) S
0 -526 M
[/View [/XYZ -4 230.999878 null] /Dest /151 /DEST pdfmark
0 -545 M
15 2 Nf
(Authors') S
[/View [/XYZ -4 229.999878 null] /Dest /220 /DEST pdfmark
( ) S
(Addresses) S
0 -570.3 M
11 0 Nf
(\240) S
44.6 -570.3 M
(Yutaka ) S
(Oiwa) S
0 -584.1 M
(\240) S
44.6 -584.1 M
(National Institute of Advanced Industrial Science and ) S
(Technology) S
0 -597.8 M
(\240) S
44.6 -597.8 M
(Research Institute for Secure ) S
(Systems) S
0 -611.6 M
(\240) S
44.6 -611.6 M
(Tsukuba Central ) S
(2) S
0 -625.3 M
(\240) S
44.6 -625.3 M
(1-1-1 ) S
(Umezono) S
0 -639.1 M
(\240) S
44.6 -639.1 M
(Tsukuba-shi, ) S
(Ibaraki) S
0 -652.8 M
(\240) S
44.6 -652.8 M
(JP) S
12.6 -666.6 M
(Email:\240) S
44.6 -666.6 M
gsave
newpath
44.6 -667.7 M
154.285156 0 RL
stroke
grestore
(mutual-auth-contact-ml@aist.go.jp) S
44.6 -666.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 34 -) S
0 setgray
89.3 -8 M
grestore
pgsave restore N
%%Page: 35 35
%%PageResources: font Times-Roman Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -11 M
%%IncludeResource: font Times-Roman
11 0 Nf
(\240) S
44.6 -11 M
(\240) S
0 -24.8 M
(\240) S
44.6 -24.8 M
(Hajime ) S
(Watanabe) S
0 -38.5 M
(\240) S
44.6 -38.5 M
(National Institute of Advanced Industrial Science and ) S
(Technology) S
0 -52.2 M
(\240) S
44.6 -52.2 M
(\240) S
0 -66 M
(\240) S
44.6 -66 M
(Hiromitsu ) S
(Takagi) S
0 -79.8 M
(\240) S
44.6 -79.8 M
(National Institute of Advanced Industrial Science and ) S
(Technology) S
0 -93.5 M
(\240) S
44.6 -93.5 M
(\240) S
0 -107.2 M
(\240) S
44.6 -107.2 M
(Boku ) S
(Kihara) S
0 -121 M
(\240) S
44.6 -121 M
(Lepidum Co. ) S
(Ltd.) S
0 -134.8 M
(\240) S
44.6 -134.8 M
(#602, Village Sasazuka ) S
(3) S
0 -148.5 M
(\240) S
44.6 -148.5 M
(1-30-3 ) S
(Sasazuka) S
0 -162.2 M
(\240) S
44.6 -162.2 M
(Shibuya-ku, ) S
(Tokyo) S
0 -176 M
(\240) S
44.6 -176 M
(JP) S
0 -189.8 M
(\240) S
44.6 -189.8 M
(\240) S
0 -203.5 M
(\240) S
44.6 -203.5 M
(Tatsuya ) S
(Hayashi) S
0 -217.2 M
(\240) S
44.6 -217.2 M
(Lepidum Co. ) S
(Ltd.) S
0 -231 M
(\240) S
44.6 -231 M
(\240) S
0 -244.8 M
(\240) S
44.6 -244.8 M
(Yuichi ) S
(Ioku) S
0 -258.5 M
(\240) S
44.6 -258.5 M
(Yahoo! Japan, ) S
(Inc.) S
0 -272.2 M
(\240) S
44.6 -272.2 M
(Midtown ) S
(Tower) S
0 -286 M
(\240) S
44.6 -286 M
(9-7-1 ) S
(Akasaka) S
0 -299.8 M
(\240) S
44.6 -299.8 M
(Minato-ku, ) S
(Tokyo) S
0 -313.5 M
(\240) S
44.6 -313.5 M
(JP) S
0 -327.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 35 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%EOF
| PAFTECH AB 2003-2026 | 2026-04-24 19:47:19 |