One document matched: draft-oiwa-httpauth-multihop-template-00.ps
%!PS-Adobe-3.0
%%Title: Common Template for HTTP Message-based Multi-hop Authentication
%%Creator: html2ps version 1.0 beta5
%%CreationDate: Mon Feb 18 17:56:45 2013
%%DocumentNeededResources: font Times-Roman Times-Bold Courier Courier-Oblique
%%+ font Helvetica
%%DocumentData: Clean7Bit
%%Orientation: Portrait
%%BoundingBox: 0 0 596 842
%%Pages: 25
%%EndComments
%%BeginProlog
/d {bind def} bind def
/D {def} d
/ie {ifelse} d
/E {exch} d
/t true D
/f false D
/FL [/Times-Roman
/Times-Italic
/Times-Bold
/Times-BoldItalic
/Courier
/Courier-Oblique
/Courier-Bold
/Courier-BoldOblique
/Helvetica
/Helvetica-Oblique
/Helvetica-Bold
/Helvetica-BoldOblique] D
/Cd {aload length 2 idiv dup dict begin {D} repeat currentdict end} D
/reencodeISO {
dup dup findfont dup length dict begin{1 index /FID ne{D}{pop pop}ie}forall
/Encoding ISOLatin1Encoding D currentdict end definefont} D
/ISOLatin1Encoding [
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright
/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash
/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon
/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N
/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright
/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m
/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/space/exclamdown/cent/sterling/currency/yen/brokenbar
/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot
/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior
/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine
/guillemotright/onequarter/onehalf/threequarters/questiondown
/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute
/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis
/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave
/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex
/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis
/yacute/thorn/ydieresis
] D
[128/backslash 129/parenleft 130/parenright 141/circumflex 142/tilde
143/perthousand 144/dagger 145/daggerdbl 146/Ydieresis 147/scaron 148/Scaron
149/oe 150/OE 151/guilsinglleft 152/guilsinglright 153/quotesinglbase
154/quotedblbase 155/quotedblleft 156/quotedblright 157/endash 158/emdash
159/trademark]
aload length 2 idiv 1 1 3 -1 roll{pop ISOLatin1Encoding 3 1 roll put}for
/colorimage where{pop}{
/colorimage {
pop pop /Pr E D {/Cv Pr D /Gr Cv length 3 idiv string D 0 1 Gr length 1 sub
{Gr E dup /i E 3 mul D Cv i get 0.299 mul Cv i 1 add get 0.587 mul add
Cv i 2 add get 0.114 mul add cvi put}for Gr} image} D
}ie
/pdfmark where{pop}{userdict /pdfmark /cleartomark load put}ie
/MySymbol 10 dict dup begin
/FontType 3 D /FontMatrix [.001 0 0 .001 0 0 ] D /FontBBox [25 -10 600 600] D
/Encoding 256 array D 0 1 255{Encoding exch /.notdef put}for
Encoding (e) 0 get /euro put
/Metrics 2 dict D Metrics begin
/.notdef 0 D
/euro 651 D
end
/BBox 2 dict D BBox begin
/.notdef [0 0 0 0] D
/euro [25 -10 600 600] D
end
/CharacterDefs 2 dict D CharacterDefs begin
/.notdef {} D
/euro{newpath 114 600 moveto 631 600 lineto 464 200 lineto 573 200 lineto
573 0 lineto -94 0 lineto 31 300 lineto -10 300 lineto closepath clip
50 setlinewidth newpath 656 300 moveto 381 300 275 0 360 arc stroke
-19 350 moveto 600 0 rlineto -19 250 moveto 600 0 rlineto stroke}d
end
/BuildChar{0 begin
/char E D /fontdict E D /charname fontdict /Encoding get char get D
fontdict begin
Metrics charname get 0 BBox charname get aload pop setcachedevice
CharacterDefs charname get exec
end
end}D
/BuildChar load 0 3 dict put /UniqueID 1 D
end
definefont pop
/Nf {dup 0 ge{FL E get}{-1 eq{/Symbol}{/MySymbol}ie}ie findfont
E scalefont setfont} D
/IP {currentfile picstr readhexstring pop} D
/WF t D
/F 1 D
/N {showpage} d
/RL {rlineto} d
/S {show} d
/L {lineto} d
/M {moveto} d
/A {awidthshow} d
/RM {rmoveto} d
%%EndProlog
%%BeginSetup
%%PaperSize: A4
WF{FL{reencodeISO D}forall}{4 1 FL length 1 sub{FL E get reencodeISO D}for}ie
/Symbol dup dup findfont dup length dict begin
{1 index /FID ne{D}{pop pop}ie}forall /Encoding [Encoding aload pop]
dup 128 /therefore put D currentdict end definefont D
[/Creator (html2ps version 1.0 beta5) /Author () /Keywords (HTTP, authentication) /Subject () /Title (Common Template for HTTP Message-based Multi-hop Authentication) /DOCINFO pdfmark
[/PageMode /UseOutlines /DOCVIEW pdfmark
[/Count 1 /Dest /98 /Title (Common Template for HTTP Message-based Multi-hop Authentication draft-oiwa-httpauth-multihop-template-00) /OUT pdfmark
[/Count 23 /Dest /99 /Title () /OUT pdfmark
[/Dest /99 /Title (Abstract) /OUT pdfmark
[/Dest /100 /Title (Status of this Memo) /OUT pdfmark
[/Dest /101 /Title (Copyright Notice) /OUT pdfmark
[/Dest /102 /Title (Table of Contents) /OUT pdfmark
[/Count -3 /Dest /103 /Title (1. Introduction) /OUT pdfmark
[/Dest /104 /Title (1.1. How to Use This Document) /OUT pdfmark
[/Dest /105 /Title (1.2. Terminology) /OUT pdfmark
[/Dest /106 /Title (1.3. Document Structure and Related Documents) /OUT pdfmark
[/Count -3 /Dest /107 /Title (2. Protocol Overview) /OUT pdfmark
[/Dest /108 /Title (2.1. Messages Overview) /OUT pdfmark
[/Dest /109 /Title (2.2. Typical Flows of the Protocol) /OUT pdfmark
[/Dest /110 /Title (2.3. Alternative Flows) /OUT pdfmark
[/Count -4 /Dest /111 /Title (3. Message Syntax) /OUT pdfmark
[/Dest /112 /Title (3.1. Values) /OUT pdfmark
[/Dest /113 /Title (3.1.1. Tokens) /OUT pdfmark
[/Dest /114 /Title (3.1.2. Strings) /OUT pdfmark
[/Dest /115 /Title (3.1.3. Numbers) /OUT pdfmark
[/Count -5 /Dest /116 /Title (4. Messages) /OUT pdfmark
[/Dest /117 /Title (4.1. 401-INIT and 401-STALE) /OUT pdfmark
[/Dest /118 /Title (4.2. req-KEX-C1) /OUT pdfmark
[/Dest /119 /Title (4.3. 401-KEX-S1) /OUT pdfmark
[/Dest /120 /Title (4.4. req-VFY-C) /OUT pdfmark
[/Dest /121 /Title (4.5. 200-VFY-S) /OUT pdfmark
[/Dest /122 /Title (5. Session Management) /OUT pdfmark
[/Dest /123 /Title (6. Host Validation Methods) /OUT pdfmark
[/Dest /124 /Title (7. Decision Procedure for Clients) /OUT pdfmark
[/Dest /125 /Title (8. Decision Procedure for Servers) /OUT pdfmark
[/Count -1 /Dest /126 /Title (9. Applying for Specific Authentication Schemes) /OUT pdfmark
[/Dest /127 /Title (9.1. Default Functions for Algorithms) /OUT pdfmark
[/Dest /128 /Title (10. Application Channel Binding) /OUT pdfmark
[/Dest /129 /Title (11. String Preparation) /OUT pdfmark
[/Dest /130 /Title (12. Application for Proxy Authentication) /OUT pdfmark
[/Dest /131 /Title (13. Methods to extend this protocol template) /OUT pdfmark
[/Dest /132 /Title (14. IANA Considerations) /OUT pdfmark
[/Count -2 /Dest /133 /Title (15. Security Considerations) /OUT pdfmark
[/Dest /134 /Title (15.1. Security Properties) /OUT pdfmark
[/Dest /135 /Title (15.2. Denial-of-service Attacks to Servers) /OUT pdfmark
[/Count -2 /Dest /136 /Title (16. References) /OUT pdfmark
[/Dest /137 /Title (16.1. Normative References) /OUT pdfmark
[/Dest /138 /Title (16.2. Informative References) /OUT pdfmark
[/Dest /139 /Title (Appendix A. \(Normative\) Support Functions and Notations) /OUT pdfmark
[/Dest /140 /Title (Appendix B. \(Informative\) Draft Remarks from Authors) /OUT pdfmark
[/Dest /141 /Title (Authors' Addresses) /OUT pdfmark
%%EndSetup
%%Page: 1 1
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 842 null] /Dest /0 /DEST pdfmark
0 -0 M
save
2.5 -13.5 M
%%IncludeResource: font Times-Roman
11 0 Nf
(Internet Engineering Task ) S
(Force) S
191.8 -13.5 M
(Y. ) S
(Oiwa) S
2.5 -32.2 M
(Internet-Draft) S
191.8 -32.2 M
(H. ) S
(Watanabe) S
2.5 -51 M
(Intended status: ) S
(Experimental) S
191.8 -51 M
(H. ) S
(Takagi) S
2.5 -69.8 M
(Expires: August 22, ) S
(2013) S
191.8 -69.8 M
(RISEC, ) S
(AIST) S
2.5 -88.5 M
(\240) S
191.8 -88.5 M
(B. ) S
(Kihara) S
2.5 -107.2 M
(\240) S
191.8 -107.2 M
(T. ) S
(Hayashi) S
2.5 -126 M
(\240) S
191.8 -126 M
(Lepidum) S
2.5 -144.8 M
(\240) S
191.8 -144.8 M
(Y. ) S
(Ioku) S
2.5 -163.5 M
(\240) S
191.8 -163.5 M
(Yahoo! ) S
(Japan) S
2.5 -182.2 M
(\240) S
191.8 -182.2 M
(February 18, ) S
(2013) S
0 -187.5 M
restore
227 -202.7 M
[/View [/XYZ -4 842 null] /Dest /98 /DEST pdfmark
42.8 -221.7 M
%%IncludeResource: font Times-Bold
19 2 Nf
(Common Template for HTTP Message-based) S
122.8 -244.5 M
(Multi-hop ) S
(Authentication) S
54.5 -267.3 M
(draft-oiwa-httpauth-multihop-template-00) S
0 -297.3 M
15 2 Nf
(Abstract) S
[/View [/XYZ -4 477.7 null] /Dest /99 /DEST pdfmark
0 -321.5 M
11 0 Nf
2.14941406 0 32 0 0 (This document specifies a common protocol design template for authentication on the Hyper-text) A
0 -334.7 M
5.64930534 0 32 0 0 (Transport Protocol \(HTTP\) involving multi-hop message exchanges. To facilitate advanced) A
0 -347.9 M
4.05512142 0 32 0 0 (authentication technologies such as hash-based exchanges, zero-knowledge password proof, or) A
0 -361.1 M
1.09224761 0 32 0 0 (public-key authentications on HTTP, a kind of state management and key management facilities are) A
0 -374.3 M
1.18522131 0 32 0 0 (required on the general HTTP authentication message framework. Also, to optimize performance of) A
0 -387.5 M
1.6264205 0 32 0 0 (such authentication schemes, a well-designed mechanism for key caching and re-authentication are) A
0 -400.7 M
0.902944684 0 32 0 0 (needed. The template defined in this document provides a generic foundation for implementing such) A
0 -413.9 M
(advanced authentication technologies. ) S
0 -443.9 M
15 2 Nf
(Status) S
[/View [/XYZ -4 331.099915 null] /Dest /100 /DEST pdfmark
( of this ) S
(Memo) S
0 -468.1 M
11 0 Nf
(This Internet-Draft is submitted in full conformance with the provisions of BCP\24078 and ) S
(BCP\24079.) S
0 -492.3 M
0.34375 0 32 0 0 (Internet-Drafts are working documents of the Internet Engineering Task Force \(IETF\). Note that other) A
0 -505.5 M
0.389423072 0 32 0 0 (groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is) A
0 -518.7 M
(at ) S
(http://datatracker.ietf.org/drafts/current/.) S
0 -542.9 M
0.275781244 0 32 0 0 (Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced,) A
0 -556.1 M
1.51927078 0 32 0 0 (or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference) A
0 -569.3 M
(material or to cite them other than as \233work in ) S
(progress.\234) S
0 -593.5 M
(This Internet-Draft will expire on August 22, ) S
(2013.) S
0 -605.5 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 1 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 2 2
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(Copyright) S
[/View [/XYZ -4 757.0 null] /Dest /101 /DEST pdfmark
( ) S
(Notice) S
0 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(Copyright \(c\) 2013 IETF Trust and the persons identified as the document authors. All rights ) S
(reserved.) S
0 -66.4 M
3.1208334 0 32 0 0 (This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF) A
0 -79.6 M
1.34730113 0 32 0 0 (Documents \(http://trustee.ietf.org/license-info\) in effect on the date of publication of this document.) A
0 -92.8 M
0.819475472 0 32 0 0 (Please review these documents carefully, as they describe your rights and restrictions with respect to) A
0 -106 M
0.287109375 0 32 0 0 (this document. Code Components extracted from this document must include Simplified BSD License) A
0 -119.2 M
1.24951172 0 32 0 0 (text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as) A
0 -132.4 M
(described in the Simplified BSD ) S
(License.) S
0 -143.4 M
[/View [/XYZ -4 613.6 null] /Dest /1 /DEST pdfmark
0 -162.4 M
15 2 Nf
(Table) S
[/View [/XYZ -4 612.6 null] /Dest /102 /DEST pdfmark
( of ) S
(Contents) S
0 -186.6 M
gsave
newpath
0 -187.7 M
8.25 0 RL
stroke
grestore
11 0 Nf
(1.) S
[/Rect [-1.0 -189.349991 9.25 -177.249985] /Subtype /Link /Border [0 0 0] /Dest /2 /ANN pdfmark
(\240 ) S
(Introduction) S
0 -199.8 M
(\240\240\240\240) S
gsave
newpath
11 -200.9 M
16.5 0 RL
stroke
grestore
(1.1.) S
[/Rect [10.0 -202.549988 28.5 -190.449982] /Subtype /Link /Border [0 0 0] /Dest /4 /ANN pdfmark
(\240 How to Use This ) S
(Document) S
0 -213 M
(\240\240\240\240) S
gsave
newpath
11 -214.1 M
16.5 0 RL
stroke
grestore
(1.2.) S
[/Rect [10.0 -215.749985 28.5 -203.649979] /Subtype /Link /Border [0 0 0] /Dest /6 /ANN pdfmark
(\240 ) S
(Terminology) S
0 -226.2 M
(\240\240\240\240) S
gsave
newpath
11 -227.3 M
16.5 0 RL
stroke
grestore
(1.3.) S
[/Rect [10.0 -228.949982 28.5 -216.849976] /Subtype /Link /Border [0 0 0] /Dest /8 /ANN pdfmark
(\240 Document Structure and Related ) S
(Documents) S
0 -239.4 M
gsave
newpath
0 -240.5 M
8.25 0 RL
stroke
grestore
(2.) S
[/Rect [-1.0 -242.149979 9.25 -230.049973] /Subtype /Link /Border [0 0 0] /Dest /10 /ANN pdfmark
(\240 Protocol ) S
(Overview) S
0 -252.6 M
(\240\240\240\240) S
gsave
newpath
11 -253.7 M
16.5 0 RL
stroke
grestore
(2.1.) S
[/Rect [10.0 -255.349976 28.5 -243.249969] /Subtype /Link /Border [0 0 0] /Dest /12 /ANN pdfmark
(\240 Messages ) S
(Overview) S
0 -265.8 M
(\240\240\240\240) S
gsave
newpath
11 -266.9 M
16.5 0 RL
stroke
grestore
(2.2.) S
[/Rect [10.0 -268.55 28.5 -256.449982] /Subtype /Link /Border [0 0 0] /Dest /14 /ANN pdfmark
(\240 Typical Flows of the ) S
(Protocol) S
0 -279 M
(\240\240\240\240) S
gsave
newpath
11 -280.1 M
16.5 0 RL
stroke
grestore
(2.3.) S
[/Rect [10.0 -281.75 28.5 -269.65] /Subtype /Link /Border [0 0 0] /Dest /17 /ANN pdfmark
(\240 Alternative ) S
(Flows) S
0 -292.2 M
gsave
newpath
0 -293.3 M
8.25 0 RL
stroke
grestore
(3.) S
[/Rect [-1.0 -294.95 9.25 -282.85] /Subtype /Link /Border [0 0 0] /Dest /20 /ANN pdfmark
(\240 Message ) S
(Syntax) S
0 -305.4 M
(\240\240\240\240) S
gsave
newpath
11 -306.5 M
16.5 0 RL
stroke
grestore
(3.1.) S
[/Rect [10.0 -308.150024 28.5 -296.050018] /Subtype /Link /Border [0 0 0] /Dest /22 /ANN pdfmark
(\240 ) S
(Values) S
0 -318.6 M
(\240\240\240\240\240\240\240\240) S
gsave
newpath
22 -319.7 M
24.75 0 RL
stroke
grestore
(3.1.1.) S
[/Rect [21.0 -321.350037 47.75 -309.250031] /Subtype /Link /Border [0 0 0] /Dest /24 /ANN pdfmark
(\240 ) S
(Tokens) S
0 -331.8 M
(\240\240\240\240\240\240\240\240) S
gsave
newpath
22 -332.9 M
24.75 0 RL
stroke
grestore
(3.1.2.) S
[/Rect [21.0 -334.550049 47.75 -322.450043] /Subtype /Link /Border [0 0 0] /Dest /26 /ANN pdfmark
(\240 ) S
(Strings) S
0 -345 M
(\240\240\240\240\240\240\240\240) S
gsave
newpath
22 -346.1 M
24.75 0 RL
stroke
grestore
(3.1.3.) S
[/Rect [21.0 -347.750061 47.75 -335.650055] /Subtype /Link /Border [0 0 0] /Dest /28 /ANN pdfmark
(\240 ) S
(Numbers) S
0 -358.2 M
gsave
newpath
0 -359.3 M
8.25 0 RL
stroke
grestore
(4.) S
[/Rect [-1.0 -360.950073 9.25 -348.850067] /Subtype /Link /Border [0 0 0] /Dest /31 /ANN pdfmark
(\240 ) S
(Messages) S
0 -371.4 M
(\240\240\240\240) S
gsave
newpath
11 -372.5 M
16.5 0 RL
stroke
grestore
(4.1.) S
[/Rect [10.0 -374.150085 28.5 -362.050079] /Subtype /Link /Border [0 0 0] /Dest /33 /ANN pdfmark
(\240 401-INIT and ) S
(401-STALE) S
0 -384.6 M
(\240\240\240\240) S
gsave
newpath
11 -385.7 M
16.5 0 RL
stroke
grestore
(4.2.) S
[/Rect [10.0 -387.350098 28.5 -375.250092] /Subtype /Link /Border [0 0 0] /Dest /35 /ANN pdfmark
(\240 ) S
(req-KEX-C1) S
0 -397.8 M
(\240\240\240\240) S
gsave
newpath
11 -398.9 M
16.5 0 RL
stroke
grestore
(4.3.) S
[/Rect [10.0 -400.55011 28.5 -388.450104] /Subtype /Link /Border [0 0 0] /Dest /37 /ANN pdfmark
(\240 ) S
(401-KEX-S1) S
0 -411 M
(\240\240\240\240) S
gsave
newpath
11 -412.1 M
16.5 0 RL
stroke
grestore
(4.4.) S
[/Rect [10.0 -413.750122 28.5 -401.650116] /Subtype /Link /Border [0 0 0] /Dest /39 /ANN pdfmark
(\240 ) S
(req-VFY-C) S
0 -424.2 M
(\240\240\240\240) S
gsave
newpath
11 -425.3 M
16.5 0 RL
stroke
grestore
(4.5.) S
[/Rect [10.0 -426.950134 28.5 -414.850128] /Subtype /Link /Border [0 0 0] /Dest /41 /ANN pdfmark
(\240 ) S
(200-VFY-S) S
0 -437.4 M
gsave
newpath
0 -438.5 M
8.25 0 RL
stroke
grestore
(5.) S
[/Rect [-1.0 -440.150146 9.25 -428.05014] /Subtype /Link /Border [0 0 0] /Dest /43 /ANN pdfmark
(\240 Session ) S
(Management) S
0 -450.6 M
gsave
newpath
0 -451.7 M
8.25 0 RL
stroke
grestore
(6.) S
[/Rect [-1.0 -453.350159 9.25 -441.250153] /Subtype /Link /Border [0 0 0] /Dest /45 /ANN pdfmark
(\240 Host Validation ) S
(Methods) S
0 -463.8 M
gsave
newpath
0 -464.9 M
8.25 0 RL
stroke
grestore
(7.) S
[/Rect [-1.0 -466.550171 9.25 -454.450165] /Subtype /Link /Border [0 0 0] /Dest /47 /ANN pdfmark
(\240 Decision Procedure for ) S
(Clients) S
0 -477 M
gsave
newpath
0 -478.1 M
8.25 0 RL
stroke
grestore
(8.) S
[/Rect [-1.0 -479.750183 9.25 -467.650177] /Subtype /Link /Border [0 0 0] /Dest /50 /ANN pdfmark
(\240 Decision Procedure for ) S
(Servers) S
0 -490.2 M
gsave
newpath
0 -491.3 M
8.25 0 RL
stroke
grestore
(9.) S
[/Rect [-1.0 -492.950195 9.25 -480.850189] /Subtype /Link /Border [0 0 0] /Dest /52 /ANN pdfmark
(\240 Applying for Specific Authentication ) S
(Schemes) S
0 -503.4 M
(\240\240\240\240) S
gsave
newpath
11 -504.5 M
16.5 0 RL
stroke
grestore
(9.1.) S
[/Rect [10.0 -506.150208 28.5 -494.050201] /Subtype /Link /Border [0 0 0] /Dest /54 /ANN pdfmark
(\240 Default Functions for ) S
(Algorithms) S
0 -516.6 M
gsave
newpath
0 -517.7 M
13.75 0 RL
stroke
grestore
(10.) S
[/Rect [-1.0 -519.35022 14.75 -507.250214] /Subtype /Link /Border [0 0 0] /Dest /56 /ANN pdfmark
(\240 Application Channel ) S
(Binding) S
0 -529.8 M
gsave
newpath
0 -530.9 M
13.75 0 RL
stroke
grestore
(11.) S
[/Rect [-1.0 -532.550232 14.75 -520.450256] /Subtype /Link /Border [0 0 0] /Dest /58 /ANN pdfmark
(\240 String ) S
(Preparation) S
0 -543 M
gsave
newpath
0 -544.1 M
13.75 0 RL
stroke
grestore
(12.) S
[/Rect [-1.0 -545.750244 14.75 -533.650269] /Subtype /Link /Border [0 0 0] /Dest /60 /ANN pdfmark
(\240 Application for Proxy ) S
(Authentication) S
0 -556.2 M
gsave
newpath
0 -557.3 M
13.75 0 RL
stroke
grestore
(13.) S
[/Rect [-1.0 -558.950256 14.75 -546.850281] /Subtype /Link /Border [0 0 0] /Dest /62 /ANN pdfmark
(\240 Methods to extend this protocol ) S
(template) S
0 -569.4 M
gsave
newpath
0 -570.5 M
13.75 0 RL
stroke
grestore
(14.) S
[/Rect [-1.0 -572.150269 14.75 -560.050293] /Subtype /Link /Border [0 0 0] /Dest /64 /ANN pdfmark
(\240 IANA ) S
(Considerations) S
0 -582.6 M
gsave
newpath
0 -583.7 M
13.75 0 RL
stroke
grestore
(15.) S
[/Rect [-1.0 -585.350281 14.75 -573.250305] /Subtype /Link /Border [0 0 0] /Dest /66 /ANN pdfmark
(\240 Security ) S
(Considerations) S
0 -595.8 M
(\240\240\240\240) S
gsave
newpath
11 -596.9 M
22.0 0 RL
stroke
grestore
(15.1.) S
[/Rect [10.0 -598.550293 34.0 -586.450317] /Subtype /Link /Border [0 0 0] /Dest /68 /ANN pdfmark
(\240 Security ) S
(Properties) S
0 -609 M
(\240\240\240\240) S
gsave
newpath
11 -610.1 M
22.0 0 RL
stroke
grestore
(15.2.) S
[/Rect [10.0 -611.750305 34.0 -599.65033] /Subtype /Link /Border [0 0 0] /Dest /70 /ANN pdfmark
(\240 Denial-of-service Attacks to ) S
(Servers) S
0 -622.2 M
gsave
newpath
0 -623.3 M
13.75 0 RL
stroke
grestore
(16.) S
[/Rect [-1.0 -624.950317 14.75 -612.850342] /Subtype /Link /Border [0 0 0] /Dest /74 /ANN pdfmark
(\240 ) S
(References) S
0 -635.4 M
(\240\240\240\240) S
gsave
newpath
11 -636.5 M
22.0 0 RL
stroke
grestore
(16.1.) S
[/Rect [10.0 -638.15033 34.0 -626.050354] /Subtype /Link /Border [0 0 0] /Dest /74 /ANN pdfmark
(\240 Normative ) S
(References) S
0 -648.6 M
(\240\240\240\240) S
gsave
newpath
11 -649.7 M
22.0 0 RL
stroke
grestore
(16.2.) S
[/Rect [10.0 -651.350342 34.0 -639.250366] /Subtype /Link /Border [0 0 0] /Dest /85 /ANN pdfmark
(\240 Informative ) S
(References) S
0 -661.8 M
gsave
newpath
0 -662.9 M
56.8203125 0 RL
stroke
grestore
(Appendix\240A.) S
[/Rect [-1.0 -664.550354 57.8203125 -652.450378] /Subtype /Link /Border [0 0 0] /Dest /93 /ANN pdfmark
(\240 \(Normative\) Support Functions and ) S
(Notations) S
0 -661.8 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 2 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 3 3
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
gsave
newpath
0 -14.3 M
56.2148438 0 RL
stroke
grestore
%%IncludeResource: font Times-Roman
11 0 Nf
(Appendix\240B.) S
[/Rect [-1.0 -15.9500008 57.2148438 -3.85000038] /Subtype /Link /Border [0 0 0] /Dest /95 /ANN pdfmark
(\240 \(Informative\) Draft Remarks from ) S
(Authors) S
0 -26.4 M
gsave
newpath
0 -27.5 M
5.5 0 RL
stroke
grestore
11 0 Nf
(\247) S
[/Rect [-1.0 -29.1500015 6.5 -17.0500011] /Subtype /Link /Border [0 0 0] /Dest /97 /ANN pdfmark
(\240 Authors' ) S
(Addresses) S
0 -37.4 M
[/View [/XYZ -4 719.6 null] /Dest /2 /DEST pdfmark
0 -37.4 M
[/View [/XYZ -4 719.6 null] /Dest /3 /DEST pdfmark
0 -56.4 M
%%IncludeResource: font Times-Bold
15 2 Nf
(1.) S
[/View [/XYZ -4 718.6 null] /Dest /103 /DEST pdfmark
( ) S
(Introduction) S
0 -80.6 M
11 0 Nf
2.14941406 0 32 0 0 (This document specifies a common protocol design template for authentication on the Hyper-text) A
0 -93.8 M
(Transport Protocol \(HTTP\) involving multi-hop message exchanges. ) S
0 -118 M
2.39453125 0 32 0 0 (To facilitate advanced authentication technologies such as hash-based exchanges, zero-knowledge) A
0 -131.2 M
3.41616583 0 32 0 0 (password proof, or public-key authentications on HTTP, a kind of state management and key) A
0 -144.4 M
0.829427063 0 32 0 0 (management facilities are required on the general HTTP authentication message framework. Also, to) A
0 -157.6 M
1.68146312 0 32 0 0 (optimize performance of such authentication schemes, a well-designed mechanism for key caching) A
0 -170.8 M
(and re-authentication are needed. ) S
0 -195 M
0.315805286 0 32 0 0 (The template defined in this document provides a generic foundation for implementing such advanced) A
0 -208.2 M
0.9609375 0 32 0 0 (authentication technologies. Such generic foundations can reduce cumbersomeness of both designers) A
0 -221.4 M
3.41829419 0 32 0 0 (and implementors of such authentication protocols on HTTP. By using this template, protocol) A
0 -234.6 M
0.981770813 0 32 0 0 (designers can easily apply any specific authenticated key exchange \(or agreement\) mechanisms onto) A
0 -247.8 M
5.58072901 0 32 0 0 (HTTP protocol and enable authentication session management, shared-key based optimized) A
0 -261 M
(re-authentication. ) S
0 -285.2 M
2.70638013 0 32 0 0 (The design template provided on this document is mainly designed for multi-hop authentication) A
0 -298.4 M
6.45507812 0 32 0 0 (mechanisms which do not use connection-based session managements. Some of existing) A
0 -311.6 M
2.01790357 0 32 0 0 (authentication technologies applied on HTTP/1.0 or 1.1 are bound to underlying TCP connection,) A
0 -324.8 M
0.316105783 0 32 0 0 (which violates strict definition of HTTP stateless semantics and not directly applicable to forthcoming) A
0 -338 M
1.040483 0 32 0 0 (HTTP/2.0. Retrofitting of such existing authentication schemes are out-of-scope of this specification) A
0 -351.2 M
(\(although, an additional specification for such retrofitting _may_ be defined on top of this template\). ) S
0 -375.4 M
0.476041675 0 32 0 0 (The template is defined using terminology and representation of existing HTTP/1.1, but it can be also) A
0 -388.6 M
(directly applied on forthcoming HTTP/2.0. ) S
0 -399.6 M
[/View [/XYZ -4 357.399933 null] /Dest /4 /DEST pdfmark
0 -399.6 M
[/View [/XYZ -4 357.399933 null] /Dest /5 /DEST pdfmark
0 -415.2 M
13 2 Nf
(1.1.) S
[/View [/XYZ -4 357.399933 null] /Dest /104 /DEST pdfmark
( How to Use This ) S
(Document) S
0 -439.4 M
11 0 Nf
0.986778855 0 32 0 0 (This document is only providing a "template" for actual implementation of HTTP authentication: by) A
0 -452.6 M
1.03147984 0 32 0 0 (itself only it will be useless. To use this document, there must be a specific definition document for) A
0 -465.8 M
1.79910719 0 32 0 0 (each authentication schemes referring to this document. In other words, this document and such a) A
0 -479 M
(specific definitions will compose "layers" of protocol definitions, the latter will exist upon the former. ) S
0 -503.2 M
1.53846157 0 32 0 0 (However, for implementors' perspective, the definitions in this document can be implemented as a) A
0 -516.4 M
4.15264416 0 32 0 0 ("base class" for multi-hop authentication: such class can be a common bases for "deriving") A
0 -529.6 M
0.345170468 0 32 0 0 (implementations of each authentication schemes, which will avoid duplicated implementation of same) A
0 -542.8 M
(features and reduce burdens for testing such implementations one by one. ) S
0 -567 M
(For terminology, this document uses the following three terms for referring each "layers" of protocols: ) S
11 -587.6 M
gsave
0 setgray
newpath
11.0 -587.57019 2.75 0 360 arc
closepath
fill
grestore
22 -591.2 M
2.33496094 0 32 0 0 ("The authentication template" or "this template" will refer to the common protocol template) A
22 -604.4 M
(defined in this document. ) S
11 -615 M
gsave
0 setgray
newpath
11.0 -614.970215 2.75 0 360 arc
closepath
fill
grestore
22 -618.6 M
0.0522836521 0 32 0 0 ("Authentication scheme\(s\)" will refer to a scheme which will realize a specific purpose/method of) A
22 -631.8 M
0.777043283 0 32 0 0 (authentication. Examples of these schemes \(which do not always depend on "this template"\) are) A
22 -645 M
1.2236979 0 32 0 0 (Basic, Digest and others. Each of them will also correspond to a specific "auth-scheme" in the) A
22 -658.2 M
(HTTP headers. ) S
22 -659.2 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 3 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 4 4
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -9.6 M
gsave
0 setgray
newpath
11.0 -9.57000065 2.75 0 360 arc
closepath
fill
grestore
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
2.35120749 0 32 0 0 ("Sub-algorithms" or simply "algorithms" in an authentication scheme will refer to variations) A
22 -26.4 M
11 0 Nf
1.48828125 0 32 0 0 (within a single authentication scheme which will provide a small differences of authentication) A
22 -39.6 M
0.103236608 0 32 0 0 (properties such as cryptographic strength or others. Examples of them are "auth" and "auth-int" in) A
22 -52.8 M
0.626065314 0 32 0 0 (Digest. Differences of used cryptographic primitives and/or parameters which provides the same) A
22 -52.8 M
0.98158282 0.98158282 scale
0.0 -13.2 RM
(functionalities except strengths \(e.g. key lengths, hash choices etc.\) will often fall into this ) S
(category.) S
1.01876271 1.01876271 scale
0 -76.8 M
[/View [/XYZ -4 680.243103 null] /Dest /6 /DEST pdfmark
0 -76.8 M
[/View [/XYZ -4 680.243103 null] /Dest /7 /DEST pdfmark
0 -92.4 M
%%IncludeResource: font Times-Bold
13 2 Nf
(1.2.) S
[/View [/XYZ -4 680.243103 null] /Dest /105 /DEST pdfmark
( ) S
(Terminology) S
0 -116.6 M
11 0 Nf
2.37011719 0 32 0 0 (The key words "MUST", "MUST\240NOT", "REQUIRED", "SHALL", "SHALL\240NOT", "SHOULD",) A
0 -129.8 M
1.49739587 0 32 0 0 ("SHOULD\240NOT", "RECOMMENDED", "NOT\240RECOMMENDED", "MAY", and "OPTIONAL" in) A
0 -143 M
(this document are to be interpreted as described in ) S
gsave
newpath
223.9 -144.1 M
50.1054688 0 RL
stroke
grestore
([RFC2119]) S
[/Rect [222.863281 -145.706894 274.96875 -133.606888] /Subtype /Link /Border [0 0 0] /Dest /79 /ANN pdfmark
(.) S
0 -167.2 M
6.61002588 0 32 0 0 (The terms "encouraged" and "advised" are used for suggestions that do not constitute) A
0 -180.4 M
3.4172585 0 32 0 0 ("SHOULD"-level requirements. People MAY freely choose not to include the suggested items) A
0 -193.6 M
0.508091509 0 32 0 0 (regarding ) A
gsave
newpath
45.4 -194.7 M
50.1054688 0 RL
stroke
grestore
0.508091509 0 32 0 0 ([RFC2119]) A
[/Rect [44.3984375 -196.306885 96.5039062 -184.206879] /Subtype /Link /Border [0 0 0] /Dest /79 /ANN pdfmark
0.508091509 0 32 0 0 (, but complying with those suggestions would be a best practice; it will improve) A
0 -206.8 M
(security, interoperability, and/or operational ) S
(performance.) S
0 -231 M
0.310302734 0 32 0 0 (This document distinguishes the terms "client" and "user" in the following way: A "client" is an entity) A
0 -244.2 M
0.23401989 0 32 0 0 (understanding and talking HTTP and the specified authentication protocol, usually computer software;) A
0 -257.4 M
(a "user" is a \(usually natural\) person who wants to access data resources using "a ) S
(client".) S
0 -281.6 M
2.9309895 0 32 0 0 (The term "natural numbers" refers to the non-negative integers \(including zero\) throughout this ) A
0 -294.8 M
(document.) S
0 -319 M
3.25270438 0 32 0 0 (This document treats target \(codomain\) of hash functions to be natural numbers. The notation) A
0 -332.2 M
(OCTETS\(H\(s\)\) gives a usual octet-string output of hash function H applied to string ) S
(s.) S
0 -343.2 M
[/View [/XYZ -4 413.843079 null] /Dest /8 /DEST pdfmark
0 -343.2 M
[/View [/XYZ -4 413.843079 null] /Dest /9 /DEST pdfmark
0 -358.8 M
13 2 Nf
(1.3.) S
[/View [/XYZ -4 413.843079 null] /Dest /106 /DEST pdfmark
( Document Structure and Related ) S
(Documents) S
0 -383 M
11 0 Nf
(The entire document is organized as follows: ) S
11 -403.5 M
gsave
0 setgray
newpath
11.0 -403.526947 2.75 0 360 arc
closepath
fill
grestore
22 -407.2 M
gsave
newpath
22 -408.3 M
41.2382812 0 RL
stroke
grestore
(Section\2402) S
[/Rect [21.0 -409.906952 64.2382812 -397.806946] /Subtype /Link /Border [0 0 0] /Dest /10 /ANN pdfmark
( presents an overview of the protocol design. ) S
11 -417.7 M
gsave
0 setgray
newpath
11.0 -417.726959 2.75 0 360 arc
closepath
fill
grestore
22 -421.4 M
0.380301327 0 32 0 0 (Sections ) A
gsave
newpath
62.4 -422.5 M
5.5 0 RL
stroke
grestore
0.380301327 0 32 0 0 (3) A
[/Rect [61.3945312 -424.106964 68.8945312 -412.006958] /Subtype /Link /Border [0 0 0] /Dest /20 /ANN pdfmark
0.380301327 0 32 0 0 ( to ) A
gsave
newpath
82.7 -422.5 M
5.5 0 RL
stroke
grestore
0.380301327 0 32 0 0 (8) A
[/Rect [81.7070312 -424.106964 89.2070312 -412.006958] /Subtype /Link /Border [0 0 0] /Dest /50 /ANN pdfmark
0.380301327 0 32 0 0 ( define a general template for the multi-hop authentication protocol. This template) A
22 -434.6 M
(is independent of specific cryptographic primitives and authentication schemes. ) S
11 -445.1 M
gsave
0 setgray
newpath
11.0 -445.126984 2.75 0 360 arc
closepath
fill
grestore
22 -448.8 M
gsave
newpath
22 -449.9 M
41.2382812 0 RL
stroke
grestore
4.01523447 0 32 0 0 (Section\2409) A
[/Rect [21.0 -451.507 64.2382812 -439.406982] /Subtype /Link /Border [0 0 0] /Dest /52 /ANN pdfmark
4.01523447 0 32 0 0 ( describes requirements for each authentication schemes used with this protocol) A
22 -462 M
0.127704322 0 32 0 0 (template, and defines a few functions which will be shared among such cryptographic algorithms. ) A
11 -472.5 M
gsave
0 setgray
newpath
11.0 -472.527 2.75 0 360 arc
closepath
fill
grestore
22 -476.2 M
(The sections after that contain general normative and informative information about the protocol. ) S
11 -486.7 M
gsave
0 setgray
newpath
11.0 -486.72702 2.75 0 360 arc
closepath
fill
grestore
22 -490.4 M
(The appendices contain some information that may help developers to implement the ) S
(protocol.) S
0 -501.4 M
[/View [/XYZ -4 255.642975 null] /Dest /10 /DEST pdfmark
0 -501.4 M
[/View [/XYZ -4 255.642975 null] /Dest /11 /DEST pdfmark
0 -520.4 M
15 2 Nf
(2.) S
[/View [/XYZ -4 254.642944 null] /Dest /107 /DEST pdfmark
( Protocol ) S
(Overview) S
0 -544.6 M
11 0 Nf
3.6940105 0 32 0 0 (The protocol template, as a whole, is designed as a natural extension to the ) A
gsave
newpath
383.4 -545.7 M
33.9362 0 RL
stroke
grestore
3.6940105 0 32 0 0 (HTTP ) A
gsave
newpath
417.3 -545.7 M
36.6523438 0 RL
stroke
grestore
3.6940105 0 32 0 0 (protocol) A
[/Rect [382.375 -547.307068 454.960938 -535.207092] /Subtype /Link /Border [0 0 0] /Dest /75 /ANN pdfmark
0 -557.8 M
0.330078125 0 32 0 0 ([I-D.ietf-httpbis-p1-messaging] using a framework defined in ) A
gsave
newpath
275.3 -558.9 M
110.84375 0 RL
stroke
grestore
0.330078125 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [274.296875 -560.50708 387.140625 -548.407104] /Subtype /Link /Border [0 0 0] /Dest /76 /ANN pdfmark
0.330078125 0 32 0 0 (. Internally, the) A
0 -571 M
0.734096 0 32 0 0 (server and the client will first perform a cryptographic key exchange, defined for each authentication) A
0 -584.2 M
1.0695312 0 32 0 0 (schemes. The key-exchange will derive the same session keys only when the clients and servers are) A
0 -597.4 M
0.552584112 0 32 0 0 (agreed with the authentication credentials used. Then, both peers will verify the authentication results) A
0 -610.6 M
0.791992188 0 32 0 0 (by confirming the sharing of the exchanged key. This section describes a brief image of the protocol) A
0 -623.8 M
(and the exchanged messages. ) S
0 -634.8 M
[/View [/XYZ -4 122.242859 null] /Dest /12 /DEST pdfmark
0 -634.8 M
[/View [/XYZ -4 122.242859 null] /Dest /13 /DEST pdfmark
0 -634.8 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 4 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 5 5
%%PageResources: font Times-Roman Times-Bold Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -15.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(2.1.) S
[/View [/XYZ -4 757.0 null] /Dest /108 /DEST pdfmark
( Messages ) S
(Overview) S
0 -39.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.697591126 0 32 0 0 (The authentication protocol template uses six kinds of messages to perform multi-hop authentication.) A
0 -53 M
(These messages have specific names within this specification. ) S
11 -73.6 M
gsave
0 setgray
newpath
11.0 -73.57 2.75 0 360 arc
closepath
fill
grestore
22 -77.2 M
(Authentication request messages: used by the servers to request clients to start authentication. ) S
33 -87.8 M
gsave
0 setgray
newpath
33.0 -87.77 2.75 0 360 arc
closepath
stroke
grestore
44 -91.4 M
0.425223202 0 32 0 0 (401-INIT message: a general message to start the authentication exchange. It is also used as) A
44 -104.6 M
(a message indicating an authentication failure. ) S
33 -115.2 M
gsave
0 setgray
newpath
33.0 -115.169991 2.75 0 360 arc
closepath
stroke
grestore
44 -118.8 M
(401-STALE message: a message indicating that it has to start a new authentication ) S
(trial.) S
11 -129.4 M
gsave
0 setgray
newpath
11.0 -129.37 2.75 0 360 arc
closepath
fill
grestore
22 -133 M
2.14908862 0 32 0 0 (Authenticated key exchange messages: used by both peers to perform authentication and the) A
22 -146.2 M
(sharing of a session key \(shared secret\). ) S
33 -156.8 M
gsave
0 setgray
newpath
33.0 -156.769989 2.75 0 360 arc
closepath
stroke
grestore
44 -160.4 M
(req-KEX-C1 message: a message sent from the client. ) S
33 -171 M
gsave
0 setgray
newpath
33.0 -170.969986 2.75 0 360 arc
closepath
stroke
grestore
44 -174.6 M
2.43149042 0 32 0 0 (401-KEX-S1 message: a message sent from the server as a response to a req-KEX-C1 ) A
44 -187.8 M
(message.) S
11 -198.4 M
gsave
0 setgray
newpath
11.0 -198.36998 2.75 0 360 arc
closepath
fill
grestore
22 -202 M
(Authentication verification messages: used by both peers to verify the authentication results. ) S
33 -212.6 M
gsave
0 setgray
newpath
33.0 -212.569977 2.75 0 360 arc
closepath
stroke
grestore
44 -216.2 M
1.00488281 0 32 0 0 (req-VFY-C message: a message used by the client, requesting that the server authenticates) A
44 -229.4 M
(and authorizes the client. ) S
33 -240 M
gsave
0 setgray
newpath
33.0 -239.969971 2.75 0 360 arc
closepath
stroke
grestore
44 -243.6 M
1.27854562 0 32 0 0 (200-VFY-S message: a successful response used by the server, and also asserting that the) A
44 -256.8 M
(server is authentic to the client ) S
(simultaneously.) S
0 -281 M
1.87706804 0 32 0 0 (In addition to the above, either a request or a response without any HTTP headers related to this) A
0 -294.2 M
(specification will be hereafter called a "normal request" or a "normal response", respectively. ) S
0 -305.2 M
[/View [/XYZ -4 451.800018 null] /Dest /14 /DEST pdfmark
0 -305.2 M
[/View [/XYZ -4 451.800018 null] /Dest /15 /DEST pdfmark
0 -320.8 M
13 2 Nf
(2.2.) S
[/View [/XYZ -4 451.800018 null] /Dest /109 /DEST pdfmark
( Typical Flows of the ) S
(Protocol) S
0 -345 M
11 0 Nf
0.988541663 0 32 0 0 (In typical cases, the client access to a resource protected by authentication will follow the following) A
0 -358.2 M
(protocol ) S
(sequence.) S
0 -369.2 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -380.2 M
[/View [/XYZ -4 376.8 null] /Dest /16 /DEST pdfmark
0 -391 M
%%IncludeResource: font Courier
9.0 4 Nf
( Client Server) S
0 -401.8 M
( | |) S
0 -412.6 M
( | ---- \(1\) normal request ---------> |) S
0 -423.4 M
( GET / HTTP/1.1 |) S
0 -434.2 M
( | |) S
0 -445 M
( | <---------------- \(2\) 401-INIT --- |) S
0 -455.8 M
( | 401 Authentication Required) S
0 -466.6 M
( | WWW-Authenticate: Example realm="a realm") S
0 -477.4 M
( | |) S
0 -488.2 M
([user, | |) S
0 -499 M
( cred.]->| |) S
0 -509.8 M
( | ---- \(3\) req-KEX-C1 -------------> |) S
0 -520.6 M
( GET / HTTP/1.1 |) S
0 -531.4 M
( Authorization: Example user="john", |--> [user DB]) S
0 -542.2 M
( kc1="...", ... |<-- [user info]) S
0 -553 M
( | |) S
0 -563.8 M
( | <-------------- \(4\) 401-KEX-S1 --- |) S
0 -574.6 M
( | 401 Authentication Required) S
0 -585.4 M
( | WWW-Authenticate: Example sid=..., ks1="...", ...) S
0 -596.2 M
( | |) S
0 -607 M
( [compute] \(5\) compute session secret [compute]) S
0 -617.8 M
( | |) S
0 -628.6 M
( | |) S
0 -639.4 M
( | ---- \(6\) req-VFY-C --------------> |) S
0 -650.2 M
( GET / HTTP/1.1 |--> [verify \(6\)]) S
0 -661 M
( Authorization: Example sid=..., |<-- OK) S
0 -671.8 M
( vkc="...", ... |) S
0 -671.8 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 5 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 6 6
%%PageResources: font Times-Roman Times-Bold Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -10.8 M
%%IncludeResource: font Courier
9.0 4 Nf
( | |) S
0 -21.6 M
9.0 4 Nf
( | <--------------- \(7\) 200-VFY-S --- |) S
0 -32.4 M
([verify | 200 OK |) S
0 -43.2 M
( \(7\)]<--| Authentication-Info: Example vks="...") S
0 -54 M
( | |) S
0 -64.8 M
( v v) S
119.2 -87.7 M
%%IncludeResource: font Times-Bold
7.63889 2 Nf
(\240Figure\2401: Typical communication flow for first access to ) S
(resource\240) S
0 -101.6 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
11 -122.2 M
gsave
0 setgray
newpath
11.0 -122.21862 2.75 0 360 arc
closepath
fill
grestore
22 -125.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.02026367 0 32 0 0 (As usual in general HTTP protocol designs, a client will at first request a resource without any) A
22 -139 M
0.554086566 0 32 0 0 (authentication attempt \(1\). If the requested resource is protected by the authentication, the server) A
22 -152.2 M
(will respond with a message requesting authentication \(401-INIT\) \(2\). ) S
11 -162.8 M
gsave
0 setgray
newpath
11.0 -162.818619 2.75 0 360 arc
closepath
fill
grestore
22 -166.4 M
0.981689453 0 32 0 0 (The client processes the body of the message, and waits for the user to input the authentication) A
22 -179.6 M
2.2507813 0 32 0 0 (credentials \(such as a user name and a password\). When the credentials to be used become) A
22 -192.8 M
1.14002407 0 32 0 0 (available, the client will send a message with the authenticated key exchange \(req-KEX-C1\) to) A
22 -206 M
(start the authentication \(3\). ) S
11 -216.6 M
gsave
0 setgray
newpath
11.0 -216.618607 2.75 0 360 arc
closepath
fill
grestore
22 -220.2 M
1.08203125 0 32 0 0 (If the server has received a req-KEX-C1 message, the server looks up the user's authentication) A
22 -233.4 M
1.34291291 0 32 0 0 (information within its user database. Then the server creates a new session identifier \(sid\) that) A
22 -246.6 M
1.33616734 0 32 0 0 (will be used to identify sets of the messages that follow it, and responds back with a message) A
22 -259.8 M
(containing a server-side authenticated key exchange value \(401-KEX-S1\) \(4\). ) S
11 -270.4 M
gsave
0 setgray
newpath
11.0 -270.41861 2.75 0 360 arc
closepath
fill
grestore
22 -274 M
0.421630859 0 32 0 0 (At this point \(5\), both peers calculate a shared "session secret" using the exchanged values in the) A
22 -287.2 M
1.20735681 0 32 0 0 (key exchange messages. It is assumed that underlying authentication protocol will generate the) A
22 -300.4 M
1.85606968 0 32 0 0 (same "session secret" on both sides only when the user authentication succeeds. This session) A
22 -313.6 M
(secret will be used for the actual access authentication after this point. ) S
11 -324.2 M
gsave
0 setgray
newpath
11.0 -324.218658 2.75 0 360 arc
closepath
fill
grestore
22 -327.8 M
0.013521635 0 32 0 0 (The client will send a request with a client-side authentication verification value \(req-VFY-C\) \(6\),) A
22 -341 M
3.44320917 0 32 0 0 (generated from the client-owned session secret. The server will check the validity of the) A
22 -354.2 M
(verification value using its own session secret. ) S
11 -364.8 M
gsave
0 setgray
newpath
11.0 -364.818695 2.75 0 360 arc
closepath
fill
grestore
22 -368.4 M
2.69614959 0 32 0 0 (If the authentication verification value from the client was correct, it means that the client) A
22 -381.6 M
4.62812519 0 32 0 0 (definitely owns the credentials required for authentication. \(i.e. the client authentication) A
22 -394.8 M
(succeeded.\) The server will respond with a successful message \(200-VFY-S\) \(7\). ) S
22 -408 M
1.8483665 0 32 0 0 (When the client's verification value is incorrect \(e.g.\240because the user-supplied password was) A
22 -421.2 M
2.0476563 0 32 0 0 (incorrect\), the server will respond with the 401-INIT message \(the same one as used in \(2\)\)) A
22 -434.4 M
(instead. ) S
11 -445 M
gsave
0 setgray
newpath
11.0 -445.018768 2.75 0 360 arc
closepath
fill
grestore
22 -448.6 M
2.4296875 0 32 0 0 (The response \(200-VFY-S\) may contain the server-side authentication verification value \(7\).) A
22 -461.8 M
0.624565959 0 32 0 0 (When the underlying authentication mechanism supports bidirectional authentication, clients can) A
22 -475 M
(check server's identity using this information. ) S
0 -486 M
[/View [/XYZ -4 270.951202 null] /Dest /17 /DEST pdfmark
0 -486 M
[/View [/XYZ -4 270.951202 null] /Dest /18 /DEST pdfmark
0 -501.6 M
13 2 Nf
(2.3.) S
[/View [/XYZ -4 270.951202 null] /Dest /110 /DEST pdfmark
( Alternative ) S
(Flows) S
0 -525.8 M
11 0 Nf
0.0571986623 0 32 0 0 (As shown above, the typical flow for a first authenticated request requires three request-response pairs.) A
0 -539 M
1.75330532 0 32 0 0 (To reduce the protocol overhead, the protocol enables several short-cut flows which require fewer ) A
0 -552.2 M
(messages.) S
11 -572.8 M
gsave
0 setgray
newpath
11.0 -572.818848 2.75 0 360 arc
closepath
fill
grestore
22 -576.4 M
1.51855469 0 32 0 0 (\(case A\) If the client knows that the resource is likely to require the authentication, the client) A
22 -589.6 M
4.54199219 0 32 0 0 (MAY omit the first unauthenticated request \(1\) and immediately send a key exchange) A
22 -602.8 M
(\(req-KEX-C1 message\). This will reduce one round-trip of messages. ) S
11 -613.4 M
gsave
0 setgray
newpath
11.0 -613.418884 2.75 0 360 arc
closepath
fill
grestore
22 -617 M
0.099724263 0 32 0 0 (\(case B\) If both the client and the server previously shared a session secret associated with a valid) A
22 -630.2 M
1.46664667 0 32 0 0 (session identifier \(sid\), the client MAY directly send a req-VFY-C message using the existing) A
22 -643.4 M
1.87076819 0 32 0 0 (session identifier and corresponding session secret. This will further reduce one round-trip of) A
22 -656.6 M
(messages. ) S
22 -669.8 M
0.028645834 0 32 0 0 (In such cases, the server MAY have thrown out the corresponding sessions from the session table.) A
22 -669.8 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 6 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 7 7
%%PageResources: font Times-Roman Times-Bold Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.558854163 0 32 0 0 (In this case, the server will respond with a 401-STALE message, indicating a new key exchange) A
22 -26.4 M
11 0 Nf
(is required. The client SHOULD retry constructing a req-KEX-C1 message in this case. ) S
0 -50.6 M
gsave
newpath
0 -51.7 M
36.9609375 0 RL
stroke
grestore
6.4268465 0 32 0 0 (Figure\2402) A
[/Rect [-1.0 -53.3500023 37.9609375 -41.25] /Subtype /Link /Border [0 0 0] /Dest /19 /ANN pdfmark
6.4268465 0 32 0 0 ( depicts the shortcut flows described above. Under the appropriate settings and) A
0 -63.8 M
0.0473632812 0 32 0 0 (implementations, most of the requests to resources are expected to meet both the criteria, and thus only) A
0 -77 M
(one round-trip of request/responses will be required in most cases. ) S
0 -88 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -99 M
[/View [/XYZ -4 658.0 null] /Dest /19 /DEST pdfmark
0 -109.8 M
%%IncludeResource: font Courier
9.0 4 Nf
( \(A\) omit first request) S
0 -120.6 M
( \(2 round trips\)) S
0 -142.2 M
( Client Server) S
0 -153 M
( | |) S
0 -163.8 M
( | --- req-KEX-C1 ----> |) S
0 -174.6 M
( | |) S
0 -185.4 M
( | <---- 401-KEX-S1 --- |) S
0 -196.2 M
( | |) S
0 -207 M
( | ---- req-VFY-C ----> |) S
0 -217.8 M
( | |) S
0 -228.6 M
( | <----- 200-VFY-S --- |) S
0 -239.4 M
( | |) S
0 -271.8 M
( \(B\) reusing session secret \(re-authentication\)) S
0 -293.4 M
( \(B-1\) key available \(B-2\) key expired) S
0 -304.2 M
( \(1 round trip\) \(3 round trips\)) S
0 -325.8 M
( Client Server Client Server) S
0 -336.6 M
( | | | |) S
0 -347.4 M
( | ---- req-VFY-C ----> | | --- req-VFY-C -------> |) S
0 -358.2 M
( | | | |) S
0 -369 M
( | <----- 200-VFY-S --- | | <------- 401-STALE --- |) S
0 -379.8 M
( | | | |) S
0 -390.6 M
( | --- req-KEX-C1 ------> |) S
0 -401.4 M
( | |) S
0 -412.2 M
( | <------ 401-KEX-S1 --- |) S
0 -423 M
( | |) S
0 -433.8 M
( | --- req-VFY-C -------> |) S
0 -444.6 M
( | |) S
0 -455.4 M
( | <------- 200-VFY-S --- |) S
0 -466.2 M
( | |) S
149.6 -489.1 M
%%IncludeResource: font Times-Bold
7.63889 2 Nf
(\240Figure\2402: Several alternative flows on ) S
(protocol\240) S
0 -503 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -527.2 M
11 0 Nf
(For more details, see Sections ) S
gsave
newpath
134.4 -528.3 M
5.5 0 RL
stroke
grestore
(7) S
[/Rect [133.386719 -529.998413 140.886719 -517.898438] /Subtype /Link /Border [0 0 0] /Dest /47 /ANN pdfmark
( and ) S
gsave
newpath
161.3 -528.3 M
5.5 0 RL
stroke
grestore
(8) S
[/Rect [160.269531 -529.998413 167.769531 -517.898438] /Subtype /Link /Border [0 0 0] /Dest /50 /ANN pdfmark
(. ) S
0 -538.2 M
[/View [/XYZ -4 218.751587 null] /Dest /20 /DEST pdfmark
0 -538.2 M
[/View [/XYZ -4 218.751587 null] /Dest /21 /DEST pdfmark
0 -557.2 M
15 2 Nf
(3.) S
[/View [/XYZ -4 217.751587 null] /Dest /111 /DEST pdfmark
( Message ) S
(Syntax) S
0 -581.4 M
11 0 Nf
0.806490362 0 32 0 0 (Throughout this specification, The syntax is denoted in the extended augmented BNF syntax defined) A
0 -594.6 M
5.54730892 0 32 0 0 (in ) A
gsave
newpath
16.9 -595.7 M
138.335938 0 RL
stroke
grestore
5.54730892 0 32 0 0 ([I-D.ietf-httpbis-p1-messaging]) A
[/Rect [15.8515625 -597.398438 156.1875 -585.298462] /Subtype /Link /Border [0 0 0] /Dest /75 /ANN pdfmark
5.54730892 0 32 0 0 ( and ) A
gsave
newpath
187.7 -595.7 M
50.1054688 0 RL
stroke
grestore
5.54730892 0 32 0 0 ([RFC5234]) A
[/Rect [186.664062 -597.398438 238.769531 -585.298462] /Subtype /Link /Border [0 0 0] /Dest /83 /ANN pdfmark
5.54730892 0 32 0 0 (. The following elements are quoted from ) A
0 -607.8 M
gsave
newpath
0 -608.9 M
50.1054688 0 RL
stroke
grestore
4.91210938 0 32 0 0 ([RFC5234]) A
[/Rect [-1.0 -610.59845 51.1054688 -598.498474] /Subtype /Link /Border [0 0 0] /Dest /83 /ANN pdfmark
4.91210938 0 32 0 0 (, ) A
gsave
newpath
60.5 -608.9 M
138.335938 0 RL
stroke
grestore
4.91210938 0 32 0 0 ([I-D.ietf-httpbis-p1-messaging]) A
[/Rect [59.515625 -610.59845 199.851562 -598.498474] /Subtype /Link /Border [0 0 0] /Dest /75 /ANN pdfmark
4.91210938 0 32 0 0 ( and ) A
gsave
newpath
230.1 -608.9 M
110.84375 0 RL
stroke
grestore
4.91210938 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [229.054688 -610.59845 341.898438 -598.498474] /Subtype /Link /Border [0 0 0] /Dest /76 /ANN pdfmark
4.91210938 0 32 0 0 (: DIGIT, ALPHA, SP,) A
0 -621 M
(auth-scheme, quoted-string, auth-param, header-field, token, challenge, and ) S
(credential.) S
0 -632 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 7 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 8 8
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.0419034101 0 32 0 0 (Authentication schemes using this template uses three headers: WWW-Authenticate \(in responses with) A
0 -26.4 M
1.69140625 0 32 0 0 (status code 401\), Authorization \(in requests\), and Authentication-Info \(in responses other than 401) A
0 -39.6 M
3.34765625 0 32 0 0 (status\). These headers follow a common framework described in ) A
gsave
newpath
317.2 -40.7 M
110.84375 0 RL
stroke
grestore
3.34765625 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [316.207031 -42.3500023 429.050781 -30.2500019] /Subtype /Link /Border [0 0 0] /Dest /76 /ANN pdfmark
3.34765625 0 32 0 0 (. The) A
0 -52.8 M
(detailed meanings for these headers are contained in ) S
gsave
newpath
232.7 -53.9 M
41.2382812 0 RL
stroke
grestore
(Section\2404) S
[/Rect [231.707031 -55.5500031 274.945312 -43.4500046] /Subtype /Link /Border [0 0 0] /Dest /31 /ANN pdfmark
(. ) S
0 -77 M
3.4173677 0 32 0 0 (Each authentication scheme using this template SHALL specify a single token specific to the) A
0 -90.2 M
0.919270813 0 32 0 0 (underlying scheme \(like Basic or Digest\). All of the "auth-scheme" contained in all of those headers) A
0 -103.4 M
(MUST be that token. ) S
0 -127.6 M
1.70039058 0 32 0 0 (The framework in ) A
gsave
newpath
87.2 -128.7 M
110.84375 0 RL
stroke
grestore
1.70039058 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [86.2460938 -130.349991 199.089844 -118.249992] /Subtype /Link /Border [0 0 0] /Dest /76 /ANN pdfmark
1.70039058 0 32 0 0 ( defines the syntax for the headers WWW-Authenticate) A
0 -140.8 M
1.06380212 0 32 0 0 (and Authorization as the syntax elements "challenge" and "credentials", respectively. The syntax for) A
0 -154 M
5.54264307 0 32 0 0 ("challenge" and "credentials" to be used with this template SHALL be name-value pairs) A
0 -167.2 M
(\(#auth-param\), not the "b64token" defined in ) S
gsave
newpath
201.1 -168.3 M
110.84375 0 RL
stroke
grestore
([I-D.ietf-httpbis-p7-auth]) S
[/Rect [200.082031 -169.949982 312.925781 -157.849976] /Subtype /Link /Border [0 0 0] /Dest /76 /ANN pdfmark
(. ) S
0 -191.4 M
1.66741073 0 32 0 0 (The Authentication-Info: header used in this protocol SHALL contain the value in same syntax as) A
0 -204.6 M
(those the "WWW-Authenticate" header, i.e. the "challenge" syntax element. ) S
0 -228.8 M
5.98366499 0 32 0 0 (In HTTP, the WWW-Authenticate header may contain more than one challenges. Client) A
0 -242 M
(implementations SHOULD be aware of and be capable of handle those cases correctly. ) S
0 -253 M
[/View [/XYZ -4 504.000031 null] /Dest /22 /DEST pdfmark
0 -253 M
[/View [/XYZ -4 504.000031 null] /Dest /23 /DEST pdfmark
0 -268.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(3.1.) S
[/View [/XYZ -4 504.000031 null] /Dest /112 /DEST pdfmark
( ) S
(Values) S
0 -292.8 M
11 0 Nf
1.18489587 0 32 0 0 (The parameter values contained in challenge/credentials MUST be parsed strictly conforming to the) A
0 -306 M
0.739483178 0 32 0 0 (HTTP semantics \(especially un-quoting of the string parameter values\). In this protocol, those values) A
0 -319.2 M
1.08268225 0 32 0 0 (are further categorized into the following value types: tokens, string, integer, hex-fixed-number, and ) A
0 -332.4 M
(base64-fixed-number.) S
0 -356.6 M
2.53417969 0 32 0 0 (For clarity, implementations are encouraged to use the canonical representations specified in the) A
0 -369.8 M
2.45205975 0 32 0 0 (following subsections for sending values. Recipients SHOULD accept both quoted and unquoted) A
0 -383 M
(representations interchangeably as specified in ) S
(HTTP.) S
0 -394 M
[/View [/XYZ -4 362.999939 null] /Dest /24 /DEST pdfmark
0 -394 M
[/View [/XYZ -4 362.999939 null] /Dest /25 /DEST pdfmark
0 -409.6 M
13 2 Nf
(3.1.1.) S
[/View [/XYZ -4 362.999939 null] /Dest /113 /DEST pdfmark
( ) S
(Tokens) S
0 -433.8 M
11 0 Nf
2.83255219 0 32 0 0 (Tokens will have syntax of the "token" defined in HTTP. The canonical format for tokens are) A
0 -447 M
(unquoted ) S
(tokens.) S
0 -458 M
[/View [/XYZ -4 298.999908 null] /Dest /26 /DEST pdfmark
0 -458 M
[/View [/XYZ -4 298.999908 null] /Dest /27 /DEST pdfmark
0 -473.6 M
13 2 Nf
(3.1.2.) S
[/View [/XYZ -4 298.999908 null] /Dest /114 /DEST pdfmark
( ) S
(Strings) S
0 -497.8 M
11 0 Nf
2.47836542 0 32 0 0 (All character strings outside ASCII character sets MUST be encoded using the ) A
gsave
newpath
378.5 -498.9 M
35.1619606 0 RL
stroke
grestore
2.47836542 0 32 0 0 (UTF-8 ) A
gsave
newpath
413.7 -498.9 M
40.3203125 0 RL
stroke
grestore
2.47836542 0 32 0 0 (encoding) A
[/Rect [377.496094 -500.55011 454.976562 -488.450104] /Subtype /Link /Border [0 0 0] /Dest /80 /ANN pdfmark
0 -511 M
3.7858665 0 32 0 0 ([RFC3629] for the ) A
gsave
newpath
96 -512.1 M
114.27166 0 RL
stroke
grestore
3.7858665 0 32 0 0 (ISO 10646-1 character ) A
gsave
newpath
210.2 -512.1 M
12.2148438 0 RL
stroke
grestore
3.7858665 0 32 0 0 (set) A
[/Rect [94.96875 -513.750122 223.453125 -501.650116] /Subtype /Link /Border [0 0 0] /Dest /86 /ANN pdfmark
3.7858665 0 32 0 0 ( [ISO.10646-1.1993], without any leading BOM) A
0 -524.2 M
0.481670678 0 32 0 0 (characters. Both peers are RECOMMENDED to reject any invalid UTF-8 sequences that might cause) A
0 -537.4 M
3.49302459 0 32 0 0 (decoding ambiguities \(e.g., containing <"> in the second or later byte of the UTF-8 encoded) A
0 -550.6 M
(characters\). ) S
0 -574.8 M
1.0703125 0 32 0 0 (If strings are representing a domain name or URI that contains non-ASCII characters, the host parts) A
0 -588 M
0.763327181 0 32 0 0 (SHOULD be encoded as it is used in the HTTP protocol layer \(e.g.\240in a Host: header\); under current) A
0 -601.2 M
(standards it will be the one defined in ) S
gsave
newpath
168 -602.3 M
50.1054688 0 RL
stroke
grestore
([RFC5890]) S
[/Rect [166.988281 -603.950195 219.09375 -591.85022] /Subtype /Link /Border [0 0 0] /Dest /91 /ANN pdfmark
(. It SHOULD use lower-case ASCII characters. ) S
0 -625.4 M
(The canonical format for strings are ) S
(quoted-string.) S
0 -636.4 M
[/View [/XYZ -4 120.599792 null] /Dest /28 /DEST pdfmark
0 -636.4 M
[/View [/XYZ -4 120.599792 null] /Dest /29 /DEST pdfmark
0 -636.4 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 8 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 9 9
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -15.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(3.1.3.) S
[/View [/XYZ -4 757.0 null] /Dest /115 /DEST pdfmark
( ) S
(Numbers) S
0 -39.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The following syntax definitions gives a syntax for number-type ) S
(values:) S
0 -50.8 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -61.8 M
[/View [/XYZ -4 695.2 null] /Dest /30 /DEST pdfmark
0 -72.6 M
%%IncludeResource: font Courier
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(integer) S
9.0 4 Nf
( = "0" / \(%x31-39 *) S
9.0 5 Nf
(DIGIT) S
9.0 4 Nf
(\) ) S
9.0 5 Nf
(; no leading zeros) S
0 -83.4 M
9.0 4 Nf
( ) S
9.0 5 Nf
(hex-fixed-number) S
9.0 4 Nf
( = 1*\(2\() S
9.0 5 Nf
(DIGIT) S
9.0 4 Nf
( / %x41-46 / %x61-66\)\)) S
0 -94.2 M
9.0 4 Nf
( ) S
9.0 5 Nf
(base64-fixed-number) S
9.0 4 Nf
( = 1*\( ) S
9.0 5 Nf
(ALPHA) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(DIGIT) S
9.0 4 Nf
( /) S
0 -105 M
( "-" / "." / "_" / "~" / "+" / "/" \) *"=") S
160.8 -127.9 M
7.63889 2 Nf
(\240Figure\2403: BNF syntax for number ) S
(types\240) S
0 -141.8 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -166 M
11 0 Nf
1.88560271 0 32 0 0 (The syntax definition of the integers only allows representations that do not contain extra leading) A
0 -179.2 M
(zeros. ) S
0 -203.4 M
1.58864188 0 32 0 0 (The numbers represented as a hex-fixed-number MUST include an even number of characters \(i.e.) A
0 -216.6 M
0.469029 0 32 0 0 (multiples of eight bits\). Those values are case-insensitive, and SHOULD be sent in lower-case. When) A
0 -229.8 M
0.591947138 0 32 0 0 (these values are generated from any cryptographic values, they SHOULD have their "natural length":) A
0 -243 M
1.36547852 0 32 0 0 (if these are generated from a hash function, these lengths SHOULD correspond to the hash size; if) A
0 -256.2 M
0.540625 0 32 0 0 (these are representing elements of a mathematical set \(or group\), its lengths SHOULD be the shortest) A
0 -269.4 M
0.241727948 0 32 0 0 (for representing all the elements in the set. For example, any results of SHA-256 hash function will be) A
0 -282.6 M
1.38560271 0 32 0 0 (represented by 64 characters, and any elements in 2048-bit prime field \(modulo a 2048-bit integer\)) A
0 -295.8 M
1.62706804 0 32 0 0 (will be represented by 512 characters, regardless of how much 0's will be appear in front of such) A
0 -309 M
1.20849609 0 32 0 0 (representations. Session-identifiers and other non-cryptographically generated values are represented) A
0 -322.2 M
0.024522569 0 32 0 0 (in any \(even\) length determined by the side who generates it first, and the same length SHALL be used) A
0 -335.4 M
(throughout the all communications by both peers. ) S
0 -359.6 M
0.0600961521 0 32 0 0 (The numbers represented as base64-fixed-number SHALL be generated as follows: first, the number is) A
0 -372.8 M
3.04352689 0 32 0 0 (converted to a big-endian radix-256 binary representation as an octet string. The length of the) A
0 -386 M
0.965625 0 32 0 0 (representation is determined in the same way as mentioned above. Then, the string is encoded using ) A
0 -399.2 M
gsave
newpath
0 -400.3 M
64.2542572 0 RL
stroke
grestore
3.39595175 0 32 0 0 (the Base 64 ) A
gsave
newpath
64.2 -400.3 M
40.3203125 0 RL
stroke
grestore
3.39595175 0 32 0 0 (encoding) A
[/Rect [-1.0 -401.998749 105.570312 -389.898743] /Subtype /Link /Border [0 0 0] /Dest /82 /ANN pdfmark
3.39595175 0 32 0 0 ( [RFC4648] without any spaces and newlines. Implementations decoding) A
0 -412.4 M
3.34548616 0 32 0 0 (base64-fixed-number SHOULD reject any input data with invalid characters, excess/insufficient) A
0 -425.6 M
(paddings, or non-canonical pad bits \(See Sections 3.1 to 3.5 of ) S
gsave
newpath
278 -426.7 M
50.1054688 0 RL
stroke
grestore
([RFC4648]) S
[/Rect [276.964844 -428.398773 329.070312 -416.298767] /Subtype /Link /Border [0 0 0] /Dest /82 /ANN pdfmark
(\). ) S
0 -449.8 M
5.2320962 0 32 0 0 (The canonical format for integer and hex-fixed-number are unquoted tokens, and that for) A
0 -463 M
(base64-fixed-number is quoted-string \(as it will contain equal, plus signs and ) S
(slashs\).) S
0 -474 M
[/View [/XYZ -4 282.951202 null] /Dest /31 /DEST pdfmark
0 -474 M
[/View [/XYZ -4 282.951202 null] /Dest /32 /DEST pdfmark
0 -493 M
15 2 Nf
(4.) S
[/View [/XYZ -4 281.951202 null] /Dest /116 /DEST pdfmark
( ) S
(Messages) S
0 -517.2 M
11 0 Nf
0.671415448 0 32 0 0 (In this section we define the six kinds of messages used in the authentication protocol along with the) A
0 -530.4 M
(formats and requirements of the headers for each message. ) S
0 -554.6 M
(To determine which message are expected to be sent, see Sections ) S
gsave
newpath
293.8 -555.7 M
5.5 0 RL
stroke
grestore
(7) S
[/Rect [292.800781 -557.398804 300.300781 -545.298828] /Subtype /Link /Border [0 0 0] /Dest /47 /ANN pdfmark
( and ) S
gsave
newpath
320.7 -555.7 M
5.5 0 RL
stroke
grestore
(8) S
[/Rect [319.683594 -557.398804 327.183594 -545.298828] /Subtype /Link /Border [0 0 0] /Dest /50 /ANN pdfmark
(.) S
0 -578.8 M
2.9432292 0 32 0 0 (In the descriptions below, the type of allowable values for each header parameter is shown in) A
0 -592 M
1.64737213 0 32 0 0 (parenthesis after each parameter name. The "algorithm-determined" type means that the acceptable) A
0 -605.2 M
0.506167769 0 32 0 0 (value for the parameter is one of the types defined in ) A
gsave
newpath
240.4 -606.3 M
41.2382812 0 RL
stroke
grestore
0.506167769 0 32 0 0 (Section\2403) A
[/Rect [239.394531 -607.99884 282.632812 -595.898865] /Subtype /Link /Border [0 0 0] /Dest /20 /ANN pdfmark
0.506167769 0 32 0 0 (, and is determined by the value of the) A
0 -618.4 M
0.733723938 0 32 0 0 ("algorithm" parameter and the auth-scheme to be used. The parameters marked "mandatory" SHALL) A
0 -631.6 M
1.20222354 0 32 0 0 (be contained in the message. The parameters marked "non-mandatory" MAY either be contained or) A
0 -644.8 M
(omitted in the message. Each parameter SHALL appear in each headers exactly once at most. ) S
0 -644.8 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 9 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 10 10
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.927884638 0 32 0 0 (All credentials and challenges MAY contain any parameters not explicitly specified in the following) A
0 -26.4 M
0.14993991 0 32 0 0 (sections. Recipients who do not understand such parameters MUST silently ignore those. However, all) A
0 -39.6 M
(credentials and challenges MUST meet the following ) S
(criteria:) S
11 -60.2 M
gsave
0 setgray
newpath
11.0 -60.170002 2.75 0 360 arc
closepath
fill
grestore
22 -63.8 M
0.453683048 0 32 0 0 (For responses, the parameters "reason", any "ks*" \(where * stands for any decimal integers\), and) A
22 -77 M
0.408854157 0 32 0 0 ("vks" are mutually exclusive: any challenge MUST\240NOT contain two or more parameters among) A
22 -90.2 M
(them. They MUST\240NOT contain any "kc*" and "vkc" parameters. ) S
11 -100.8 M
gsave
0 setgray
newpath
11.0 -100.77 2.75 0 360 arc
closepath
fill
grestore
22 -104.4 M
2.22154021 0 32 0 0 (For requests, the parameters "kc*" \(where * stands for any decimal integers\), and "vks" are) A
22 -117.6 M
0.417317718 0 32 0 0 (mutually exclusive and any challenge MUST\240NOT contain two or more parameters among them.) A
22 -130.8 M
(They MUST\240NOT contain any "ks*" and "vks" parameters. ) S
0 -141.8 M
[/View [/XYZ -4 615.2 null] /Dest /33 /DEST pdfmark
0 -141.8 M
[/View [/XYZ -4 615.2 null] /Dest /34 /DEST pdfmark
0 -157.4 M
%%IncludeResource: font Times-Bold
13 2 Nf
(4.1.) S
[/View [/XYZ -4 615.2 null] /Dest /117 /DEST pdfmark
( 401-INIT and ) S
(401-STALE) S
0 -181.6 M
11 0 Nf
3.64950275 0 32 0 0 (Every 401-INIT or 401-STALE message SHALL be a valid HTTP 401-status \(Authentication) A
0 -194.8 M
9.42226601 0 32 0 0 (Required\) message containing one \(and only one: hereafter not explicitly noticed\)) A
0 -208 M
3.81523442 0 32 0 0 ("WWW-Authenticate" header containing a "reason" parameter in the challenge. The challenge) A
0 -221.2 M
1.52974761 0 32 0 0 (SHALL contain all of the parameters marked "mandatory" below, and MAY contain those marked) A
0 -234.4 M
("non-mandatory". ) S
11 -258.6 M
(algorithm: ) S
33 -271.8 M
0.596028626 0 32 0 0 (\(mandatory token\) specifies the authentication sub-algorithm to be used. The set of allowed) A
33 -285 M
0.176682696 0 32 0 0 (value for this field MUST be specified within each specification for a specific authentication) A
33 -298.2 M
(protocol. ) S
11 -311.4 M
(realm: ) S
33 -324.6 M
1.43652344 0 32 0 0 (\(mandatory string\) is a UTF-8 encoded string representing the name of the authentication) A
33 -337.8 M
0.594140649 0 32 0 0 (realm inside the authentication domain. As specified in ) A
gsave
newpath
283 -338.9 M
110.84375 0 RL
stroke
grestore
0.594140649 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [282.007812 -340.550049 394.851562 -328.450043] /Subtype /Link /Border [0 0 0] /Dest /76 /ANN pdfmark
0.594140649 0 32 0 0 (, this value) A
33 -351 M
(MUST always be sent in the quoted-string form. ) S
11 -364.2 M
(validation: ) S
33 -377.4 M
0.945870519 0 32 0 0 (\(mandatory token\) specifies the method of host validation. The value MUST be one of the) A
33 -390.6 M
1.75994313 0 32 0 0 (tokens described in ) A
gsave
newpath
125.9 -391.7 M
41.2382812 0 RL
stroke
grestore
1.75994313 0 32 0 0 (Section\2406) A
[/Rect [124.933594 -393.350098 168.171875 -381.250092] /Subtype /Link /Border [0 0 0] /Dest /45 /ANN pdfmark
1.75994313 0 32 0 0 (, or the tokens specified in other supplemental specification) A
33 -403.8 M
(documentation. ) S
11 -417 M
(reason: ) S
33 -430.2 M
2.01649308 0 32 0 0 (\(mandatory extensive-token\) SHALL be an extensive-token which describes the possible) A
33 -443.4 M
5.58029509 0 32 0 0 (reason of the failed authentication/authorization. Both servers and clients SHALL) A
33 -456.6 M
(understand and support the following three tokens: ) S
44 -467.2 M
gsave
0 setgray
newpath
44.0 -467.170166 2.75 0 360 arc
closepath
fill
grestore
55 -470.8 M
1.28320312 0 32 0 0 (initial: authentication was not tried because there was no Authorization header in the) A
55 -484 M
(corresponding request. ) S
44 -494.6 M
gsave
0 setgray
newpath
44.0 -494.57019 2.75 0 360 arc
closepath
fill
grestore
55 -498.2 M
0.923270106 0 32 0 0 (stale-session: the provided sid; in the request was either unknown to or expired in the) A
55 -511.4 M
(server. ) S
44 -522 M
gsave
0 setgray
newpath
44.0 -521.970215 2.75 0 360 arc
closepath
fill
grestore
55 -525.6 M
3.45348 0 32 0 0 (auth-failed: authentication trial was failed by some reasons, possibly with a bad) A
55 -538.8 M
(authentication ) S
(credentials.) S
33 -552 M
0.13125 0 32 0 0 (Implementations MAY support the following tokens or any extensive-tokens defined outside) A
33 -565.2 M
0.362680286 0 32 0 0 (this specification. If clients has received any unknown tokens, these SHOULD treat these as) A
33 -578.4 M
(if it were "auth-failed" or "initial". ) S
44 -589 M
gsave
0 setgray
newpath
44.0 -588.970276 2.75 0 360 arc
closepath
fill
grestore
55 -592.6 M
0.630642354 0 32 0 0 (reauth-needed: server-side application requires a new authentication trial, regardless of) A
55 -605.8 M
(the current status. ) S
44 -616.4 M
gsave
0 setgray
newpath
44.0 -616.3703 2.75 0 360 arc
closepath
fill
grestore
55 -620 M
1.23671877 0 32 0 0 (invalid-parameters: authentication was not even tried in the server-side because some) A
55 -633.2 M
(parameters are not acceptable. ) S
44 -643.8 M
gsave
0 setgray
newpath
44.0 -643.770325 2.75 0 360 arc
closepath
fill
grestore
55 -647.4 M
0.115559898 0 32 0 0 (internal-error: authentication was not even tried in the server-side because there is some) A
55 -660.6 M
(troubles on the server-side. ) S
55 -661.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 10 -) S
0 setgray
110 -8 M
grestore
pgsave restore N
%%Page: 11 11
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
44 -9.6 M
gsave
0 setgray
newpath
44.0 -9.57000065 2.75 0 360 arc
closepath
fill
grestore
55 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.7890625 0 32 0 0 (user-unknown: a special case of auth-failed, suggesting that the provided user-name is) A
55 -13.2 M
0.897782803 0.897782803 scale
0.0 -13.2 RM
11 0 Nf
(invalid. The use of this parameter is NOT\240RECOMMENDED for security implications, except for) S
1.11385512 1.11385512 scale
55 -38.3 M
(special-purpose applications which makes this value sense. ) S
44 -48.8 M
gsave
0 setgray
newpath
44.0 -48.8207321 2.75 0 360 arc
closepath
fill
grestore
55 -52.5 M
4.96614599 0 32 0 0 (invalid-credential: ditto, suggesting that the provided user-name was valid but) A
55 -52.5 M
0.895896077 0.895896077 scale
0.0 -13.2 RM
(authentication was failed. The use of this parameter is NOT\240RECOMMENDED as the same as the) S
1.11620092 1.11620092 scale
55 -77.5 M
(above. ) S
44 -88 M
gsave
0 setgray
newpath
44.0 -88.0465622 2.75 0 360 arc
closepath
fill
grestore
55 -91.7 M
1.12428975 0 32 0 0 (authz-failed: authentication was successful, but access to the specified resource is not) A
55 -91.7 M
0.863076329 0.863076329 scale
0.0 -13.2 RM
(authorized to the specific authenticated user. \(It is different from 403 responses which suggest that the) S
1.15864611 1.15864611 scale
55 -116.3 M
(reason of inaccessibility is other that ) S
(authentication.\)) S
0 -140.5 M
2.94050479 0 32 0 0 (Among these messages, those with the reason parameter of value "stale-session" will be called) A
0 -153.7 M
3.44108081 0 32 0 0 ("401-STALE" messages hereafter, because these have a special meaning in the protocol flow.) A
0 -166.9 M
(Messages with any other reason parameters will be called "401-INIT" messages. ) S
0 -177.9 M
[/View [/XYZ -4 579.130859 null] /Dest /35 /DEST pdfmark
0 -177.9 M
[/View [/XYZ -4 579.130859 null] /Dest /36 /DEST pdfmark
0 -193.5 M
%%IncludeResource: font Times-Bold
13 2 Nf
(4.2.) S
[/View [/XYZ -4 579.130859 null] /Dest /118 /DEST pdfmark
( ) S
(req-KEX-C1) S
0 -217.7 M
11 0 Nf
0.384440094 0 32 0 0 (Every req-KEX-C1 message SHALL be a valid HTTP request message containing an "Authorization") A
0 -230.9 M
(header with a credential containing a "kc1" parameter. ) S
0 -255.1 M
(The credential SHALL contain the parameters with the following names: ) S
11 -279.3 M
(algorithm, realm: ) S
33 -292.5 M
(MUST be the same value as it is when received from the server. ) S
11 -305.7 M
(user: ) S
33 -318.9 M
0.139508933 0 32 0 0 (\(non-mandatory, string\) is the UTF-8 encoded name of the user. This field MUST be present) A
33 -332.1 M
0.483664781 0 32 0 0 (unless the authentication scheme defines other means of identifying the authenticating users) A
33 -345.3 M
2.10703135 0 32 0 0 (other than the textual user name. If this name comes from a user input, client software) A
33 -358.5 M
0.012369792 0 32 0 0 (SHOULD prepare the string using the preparation mechanism defined with each scheme \(see ) A
33 -371.7 M
gsave
newpath
33 -372.8 M
46.7382812 0 RL
stroke
grestore
(Section\24011) S
[/Rect [32.0 -374.41925 80.7382812 -362.319244] /Subtype /Link /Border [0 0 0] /Dest /58 /ANN pdfmark
( for more information\) before encoding it to UTF-8. ) S
11 -384.9 M
(kc1: ) S
33 -398.1 M
11 0 Nf
2.62011719 0 32 0 0 (\(mandatory, algorithm-determined\) is the client-side key exchange value ) A
2.62011719 0 32 0 0 (K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.62011719 0 32 0 0 (c1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.62011719 0 32 0 0 (, which is) A
0.0 -2.2 RM
33 -413.5 M
(specified by the algorithm that is used. ) S
0 -424.5 M
[/View [/XYZ -4 332.530731 null] /Dest /37 /DEST pdfmark
0 -424.5 M
[/View [/XYZ -4 332.530731 null] /Dest /38 /DEST pdfmark
0 -440.1 M
13 2 Nf
(4.3.) S
[/View [/XYZ -4 332.530731 null] /Dest /119 /DEST pdfmark
( ) S
(401-KEX-S1) S
0 -464.3 M
11 0 Nf
0.484019876 0 32 0 0 (Every 401-KEX-S1 message SHALL be a valid HTTP 401-status \(Authentication Required\) response) A
0 -477.5 M
(message containing a "WWW-Authenticate" header with a challenge containing a "ks1" parameter. ) S
0 -501.7 M
(The challenge SHALL contain the parameters with the following names: ) S
11 -525.9 M
(algorithm, realm: ) S
33 -539.1 M
(MUST be the same value as it is when received from the client. ) S
11 -552.3 M
(sid: ) S
33 -565.5 M
1.51171875 0 32 0 0 (\(mandatory, hex-fixed-number\) MUST be a session identifier, which is a random integer.) A
33 -578.7 M
0.197753906 0 32 0 0 (The sid SHOULD have uniqueness of at least 80 bits or the square of the maximal estimated) A
33 -591.9 M
1.4016335 0 32 0 0 (transactions concurrently available in the session table, whichever is larger. See ) A
gsave
newpath
401.7 -593 M
41.2382812 0 RL
stroke
grestore
1.4016335 0 32 0 0 (Section\2405) A
[/Rect [400.726562 -594.619385 443.964844 -582.519409] /Subtype /Link /Border [0 0 0] /Dest /43 /ANN pdfmark
33 -605.1 M
(for more details. ) S
11 -618.3 M
(ks1: ) S
33 -631.5 M
11 0 Nf
2.42285156 0 32 0 0 (\(mandatory, algorithm-determined\) is the server-side key exchange value ) A
2.42285156 0 32 0 0 (K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.42285156 0 32 0 0 (s1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.42285156 0 32 0 0 (, which is) A
0.0 -2.2 RM
33 -646.9 M
(specified by the algorithm. ) S
33 -646.9 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 11 -) S
0 setgray
22 -8 M
grestore
pgsave restore N
%%Page: 12 12
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(nc-max: ) S
33 -26.4 M
(\(mandatory, integer\) is the maximal value of nonce counts that the server accepts. ) S
11 -39.6 M
(nc-window: ) S
33 -52.8 M
1.72716343 0 32 0 0 (\(mandatory, integer\) the number of available nonce slots that the server will accept. The) A
33 -66 M
(value of the nc-window parameter is RECOMMENDED to be 32 or more. ) S
11 -79.2 M
(time: ) S
33 -92.4 M
0.670072138 0 32 0 0 (\(mandatory, integer\) represents the suggested time \(in seconds\) that the client can reuse the) A
33 -105.6 M
1.03662109 0 32 0 0 (session represented by the sid. It is RECOMMENDED to be at least 60. The value of this) A
33 -118.8 M
0.926302075 0 32 0 0 (parameter is, however, not directly linked to the duration that the server keeps track of the) A
33 -132 M
(session represented by the sid. ) S
11 -145.2 M
(path: ) S
33 -158.4 M
1.61425781 0 32 0 0 (\(non-mandatory, string\) specifies which path in the URI space the same authentication is) A
33 -171.6 M
0.565716922 0 32 0 0 (expected to be applied. The value is a space-separated list of URIs, in the same format as it) A
33 -184.8 M
0.189453125 0 32 0 0 (was specified in domain parameter ) A
gsave
newpath
190 -185.9 M
50.1054688 0 RL
stroke
grestore
0.189453125 0 32 0 0 ([RFC2617]) A
[/Rect [188.992188 -187.549973 241.097656 -175.449966] /Subtype /Link /Border [0 0 0] /Dest /88 /ANN pdfmark
0.189453125 0 32 0 0 ( for the Digest authentications, and clients are) A
33 -198 M
0.442382812 0 32 0 0 (RECOMMENDED to recognize it. The all path elements contained in the parameter MUST) A
33 -211.2 M
(be inside the specified auth-domain: if not, clients SHOULD ignore such elements. ) S
0 -222.2 M
[/View [/XYZ -4 534.800049 null] /Dest /39 /DEST pdfmark
0 -222.2 M
[/View [/XYZ -4 534.800049 null] /Dest /40 /DEST pdfmark
0 -237.8 M
%%IncludeResource: font Times-Bold
13 2 Nf
(4.4.) S
[/View [/XYZ -4 534.800049 null] /Dest /120 /DEST pdfmark
( ) S
(req-VFY-C) S
0 -262 M
11 0 Nf
0.893229187 0 32 0 0 (Every req-VFY-C message SHALL be a valid HTTP request message containing an "Authorization") A
0 -275.2 M
(header with a credential containing a "vkc" parameter. ) S
0 -299.4 M
(The parameters contained in the header are as follows: ) S
11 -323.6 M
(algorithm, realm: ) S
33 -336.8 M
(MUST be the same value as it is when received from the server for the session. ) S
11 -350 M
(sid: ) S
33 -363.2 M
0.903846145 0 32 0 0 (\(mandatory, hex-fixed-number\) MUST be one of the sid values that was received from the) A
33 -376.4 M
(server for the same authentication realm. ) S
11 -389.6 M
(nc: ) S
33 -402.8 M
0.10963542 0 32 0 0 (\(mandatory, integer\) is a nonce value that is unique among the requests sharing the same sid.) A
33 -416 M
(The values of the nonces SHOULD satisfy the properties outlined in ) S
gsave
newpath
336.9 -417.1 M
41.2382812 0 RL
stroke
grestore
(Section\2405) S
[/Rect [335.90625 -418.750092 379.144531 -406.650085] /Subtype /Link /Border [0 0 0] /Dest /43 /ANN pdfmark
(. ) S
11 -429.2 M
(vkc: ) S
33 -442.4 M
11 0 Nf
0.822021484 0 32 0 0 (\(mandatory, algorithm-determined\) is the client-side authentication verification value ) A
0.822021484 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.822021484 0 32 0 0 (c) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.822021484 0 32 0 0 (,) A
0.0 -2.2 RM
33 -457.8 M
(which is specified by the algorithm. ) S
0 -468.8 M
[/View [/XYZ -4 288.19989 null] /Dest /41 /DEST pdfmark
0 -468.8 M
[/View [/XYZ -4 288.19989 null] /Dest /42 /DEST pdfmark
0 -484.4 M
13 2 Nf
(4.5.) S
[/View [/XYZ -4 288.19989 null] /Dest /121 /DEST pdfmark
( ) S
(200-VFY-S) S
0 -508.6 M
11 0 Nf
0.923958361 0 32 0 0 (Every 200-VFY-S message SHALL be a valid HTTP message that is not of the 401 \(Authentication) A
0 -521.8 M
(Required\) status, containing an "Authentication-Info" header with a "vks" parameter. ) S
0 -546 M
(The parameters contained in the header are as follows: ) S
11 -570.2 M
(sid: ) S
33 -583.4 M
(\(mandatory, hex-fixed-number\) MUST be the value received from the client. ) S
11 -596.6 M
(algorithm, realm: ) S
33 -609.8 M
(MUST be the same value as it is when received from the client. ) S
11 -623 M
(vks: ) S
33 -636.2 M
11 0 Nf
0.575439453 0 32 0 0 (\(mandatory, algorithm-determined\) is the server-side authentication verification value ) A
0.575439453 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.575439453 0 32 0 0 (s) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.575439453 0 32 0 0 (,) A
0.0 -2.2 RM
33 -651.6 M
0.0747767836 0 32 0 0 (which is specified by the algorithm. If the algorithm specification do not specify any specific) A
33 -664.8 M
(value for this field, the value SHALL the token "0". ) S
11 -664.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 12 -) S
0 setgray
22 -8 M
grestore
pgsave restore N
%%Page: 13 13
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
2.99080873 0 32 0 0 (The header MUST be sent before the content body: it MUST\240NOT be sent in the trailer of a) A
0 -26.4 M
6.90039062 0 32 0 0 (chunked-encoded response. If a "100 Continue" response is sent from the server, the) A
0 -39.6 M
(Authentication-Info header SHOULD be included in that response, instead of the final response. ) S
0 -50.6 M
[/View [/XYZ -4 706.4 null] /Dest /43 /DEST pdfmark
0 -50.6 M
[/View [/XYZ -4 706.4 null] /Dest /44 /DEST pdfmark
0 -69.6 M
%%IncludeResource: font Times-Bold
15 2 Nf
(5.) S
[/View [/XYZ -4 705.4 null] /Dest /122 /DEST pdfmark
( Session ) S
(Management) S
0 -93.8 M
11 0 Nf
2.08886719 0 32 0 0 (In this authentication protocol template, a session represented by an sid is set up using first four) A
0 -107 M
0.422200531 0 32 0 0 (messages \(first request, 401-INIT, req-KEX-C1 and 401-KEX-S1\). After sharing a session secret, this) A
0 -120.2 M
1.4653033 0 32 0 0 (session, along with the secret, can be used for one or more requests for resources protected by the) A
0 -133.4 M
0.727022052 0 32 0 0 (same realm in the same server. Note that session management is only an inside detail of the protocol) A
0 -146.6 M
3.53151035 0 32 0 0 (and usually not visible to normal users. If a session expires, the client and server SHOULD) A
0 -159.8 M
(automatically re-establish another session without informing the users. ) S
0 -184 M
0.334716797 0 32 0 0 (Sessions and session identifiers are local to each server \(defined by scheme, host and port\); the clients) A
0 -197.2 M
1.2520833 0 32 0 0 (MUST establish separate sessions for each port of a host to be accessed. Furthermore, sessions and) A
0 -210.4 M
0.280273438 0 32 0 0 (identifiers are also local to each authentication realm, even if these are provided from the same server.) A
0 -223.6 M
0.0583147332 0 32 0 0 (The same session identifiers provided either from different servers or for different realms SHOULD be) A
0 -236.8 M
(treated as independent ones. ) S
0 -261 M
1.07083333 0 32 0 0 (The server SHOULD accept at least one req-VFY-C request for each session, given that the request) A
0 -274.2 M
0.621875 0 32 0 0 (reaches the server in a time window specified by the timeout parameter in the 401-KEX-S1 message,) A
0 -287.4 M
0.423483461 0 32 0 0 (and that there are no emergent reasons \(such as flooding attacks\) to forget the sessions. After that, the) A
0 -300.6 M
0.0294270832 0 32 0 0 (server MAY discard any session at any time and MAY send 401-STALE messages for any req-VFY-C) A
0 -313.8 M
(requests. ) S
0 -338 M
0.78010112 0 32 0 0 (The client MAY send two or more requests using a single session specified by the sid. However, for) A
0 -351.2 M
3.39088535 0 32 0 0 (all such requests, each value of the nonce \(in the nc parameter\) MUST satisfy the following) A
0 -364.4 M
(conditions: ) S
11 -385 M
gsave
0 setgray
newpath
11.0 -384.970062 2.75 0 360 arc
closepath
fill
grestore
22 -388.6 M
(It is a natural number. ) S
11 -399.2 M
gsave
0 setgray
newpath
11.0 -399.170074 2.75 0 360 arc
closepath
fill
grestore
22 -402.8 M
(The same nonce was not sent within the same session. ) S
11 -413.4 M
gsave
0 setgray
newpath
11.0 -413.370087 2.75 0 360 arc
closepath
fill
grestore
22 -417 M
0.619574666 0 32 0 0 (It is not larger than the nc-max value that was sent from the server in the session represented by) A
22 -430.2 M
(the sid. ) S
11 -440.8 M
gsave
0 setgray
newpath
11.0 -440.770111 2.75 0 360 arc
closepath
fill
grestore
22 -444.4 M
0.374267578 0 32 0 0 (It is larger than \(largest-nc - nc-window\), where largest-nc is the maximal value of nc which was) A
22 -457.6 M
0.00807291642 0 32 0 0 (previously sent in the session, and nc-window is the value of the nc-window parameter which was) A
22 -470.8 M
(received from the server in the ) S
(session.) S
0 -495 M
1.14375 0 32 0 0 (The last condition allows servers to reject any nonce values that are "significantly" smaller than the) A
0 -508.2 M
0.0197610296 0 32 0 0 ("current" value \(defined by the value of nc-window\) of the nonce used in the session involved. In other) A
0 -521.4 M
2.6373198 0 32 0 0 (words, servers MAY treat such nonces as "already received". This restriction enables servers to) A
0 -534.6 M
(implement duplicated nonce detection in a constant amount of memory \(for each session\). ) S
0 -558.8 M
1.3338542 0 32 0 0 (Servers MUST check for duplication of the received nonces, and if any duplication is detected, the) A
0 -572 M
0.989676356 0 32 0 0 (server MUST discard the session and respond with a 401-STALE message, as outlined in ) A
gsave
newpath
410 -573.1 M
41.2382812 0 RL
stroke
grestore
0.989676356 0 32 0 0 (Section\2408) A
[/Rect [408.992188 -574.750183 452.230469 -562.650208] /Subtype /Link /Border [0 0 0] /Dest /50 /ANN pdfmark
0.989676356 0 32 0 0 (.) A
0 -585.2 M
1.84228516 0 32 0 0 (The server MAY also reject other invalid nonce values \(such as ones above the nc-max limit\) by) A
0 -598.4 M
(sending a 401-STALE message. ) S
0 -622.6 M
1.22886026 0 32 0 0 (For example, assume the nc-window value of the current session is 32, nc-max is 100, and that the) A
0 -635.8 M
1.6854167 0 32 0 0 (client has already used the following nonce values: {1-20, 22, 24, 30-38, 45-60, 63-72}. Then the) A
0 -649 M
0.115885414 0 32 0 0 (nonce values that can be used for next request is one of the following set: {41-44, 61-62, 73-100}. The) A
0 -662.2 M
0.100694448 0 32 0 0 (values {0, 21, 23, 25-29, 39-40} MAY be rejected by the server because they are not above the current) A
0 -662.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 13 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 14 14
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
("window limit" \(40 = 72 - 32\). ) S
0 -37.4 M
11 0 Nf
0.903320312 0 32 0 0 (Typically, clients can ensure the above property by using a monotonically-increasing integer counter) A
0 -50.6 M
(that counts from zero upto the value of nc-max. ) S
0 -74.8 M
1.04947913 0 32 0 0 (The values of the nonces and any nonce-related values MUST always be treated as natural numbers) A
0 -88 M
3.52695322 0 32 0 0 (within an infinite range. Implementations using fixed-width integers or fixed-precision floating) A
0 -101.2 M
4.87226582 0 32 0 0 (numbers MUST correctly and carefully handle integer overflows. Such implementations are) A
0 -114.4 M
1.16346157 0 32 0 0 (RECOMMENDED to accept any larger values that cannot be represented in the fixed-width integer) A
0 -127.6 M
0.185825899 0 32 0 0 (representations, as long as other limits such as internal header-length restrictions are not involved. The) A
0 -140.8 M
1.29140627 0 32 0 0 (protocol is designed carefully so that both the clients and servers can implement the protocol using) A
0 -154 M
(only fixed-width integers, by rounding any overflowed values to the maximum possible value. ) S
0 -165 M
[/View [/XYZ -4 592.0 null] /Dest /45 /DEST pdfmark
0 -165 M
[/View [/XYZ -4 592.0 null] /Dest /46 /DEST pdfmark
0 -184 M
%%IncludeResource: font Times-Bold
15 2 Nf
(6.) S
[/View [/XYZ -4 591.0 null] /Dest /123 /DEST pdfmark
( Host Validation ) S
(Methods) S
0 -208.2 M
11 0 Nf
1.48888218 0 32 0 0 (The "validation method" specifies a method to "relate" \(or "bind"\) authentication processed by this) A
0 -221.4 M
3.57649732 0 32 0 0 (template with other authentications already performed in the underlying layers and to prevent) A
0 -234.6 M
(man-in-the-middle attacks. It decides the value vh that is an input to the authentication protocols. ) S
0 -258.8 M
(The valid tokens for the validation parameter and corresponding values of vh are as follows: ) S
11 -283 M
(host: ) S
33 -296.2 M
3.17908645 0 32 0 0 (hostname validation: The value vh will be the ASCII string in the following format:) A
33 -309.4 M
0.1796875 0 32 0 0 ("<scheme>://<host>:<port>", where <scheme>, <host>, and <port> are the URI components) A
33 -322.6 M
1.13378906 0 32 0 0 (corresponding to the currently accessing resource. The scheme and host are in lower-case,) A
33 -335.8 M
0.447509766 0 32 0 0 (and the port is in a shortest decimal representation. Even if the request-URI does not have a) A
33 -349 M
(port part, vh will include the default port number. ) S
11 -362.2 M
(tls-cert: ) S
33 -375.4 M
1.68823242 0 32 0 0 (TLS certificate validation: The value vh will be the octet string of the hash value of the) A
33 -388.6 M
0.289663464 0 32 0 0 (public key certificate used in the underlying ) A
gsave
newpath
231.4 -389.7 M
19.5507812 0 RL
stroke
grestore
0.289663464 0 32 0 0 (TLS) A
[/Rect [230.40625 -391.350098 251.957031 -379.250092] /Subtype /Link /Border [0 0 0] /Dest /84 /ANN pdfmark
0.289663464 0 32 0 0 ( [RFC5246] \(or SSL\) connection. The hash) A
33 -401.8 M
1.72879469 0 32 0 0 (value is defined as the value of the entire signed certificate \(specified as "Certificate" in ) A
33 -415 M
gsave
newpath
33 -416.1 M
50.1054688 0 RL
stroke
grestore
([RFC5280]) S
[/Rect [32.0 -417.750122 84.1054688 -405.650116] /Subtype /Link /Border [0 0 0] /Dest /90 /ANN pdfmark
(\), hashed by the hash algorithm specified by the authentication algorithm used. ) S
11 -428.2 M
(tls-key: ) S
33 -441.4 M
0.926041663 0 32 0 0 (TLS shared-key validation: The value v will be the octet string of the shared master secret) A
33 -454.6 M
(negotiated in the underlying TLS \(or SSL\) ) S
(connection.) S
0 -478.8 M
0.083984375 0 32 0 0 (If the HTTP protocol is used on a non-encrypted channel \(TCP and SCTP, for example\), the validation) A
0 -492 M
0.153738841 0 32 0 0 (type MUST be "host". If ) A
gsave
newpath
111.8 -493.1 M
50.0976562 0 RL
stroke
grestore
0.153738841 0 32 0 0 (HTTP/TLS) A
[/Rect [110.753906 -494.750183 162.851562 -482.650177] /Subtype /Link /Border [0 0 0] /Dest /89 /ANN pdfmark
0.153738841 0 32 0 0 ( [RFC2818] \(HTTPS\) protocol is used with the server certificates,) A
0 -505.2 M
1.77213538 0 32 0 0 (the validation type MUST be "tls-cert". If HTTP/TLS protocol is used without any kind of server) A
0 -518.4 M
(certificates, the validation type MUST be "tls-key". ) S
0 -542.6 M
1.08255208 0 32 0 0 (If the validation type "tls-cert" is used, the server certificate provided on TLS connection MUST be) A
0 -555.8 M
(verified to make sure that the server actually owns the corresponding secret key. ) S
0 -580 M
(Clients MUST validate this parameter upon reception of the 401-INIT messages. ) S
0 -604.2 M
2.49693084 0 32 0 0 (However, when the client is a Web browser with any scripting capabilities, the underlying TLS) A
0 -617.4 M
3.75260425 0 32 0 0 (channel used with HTTP/TLS MUST provide server identity verification. This means \(1\) the) A
0 -630.6 M
0.471028656 0 32 0 0 (anonymous Diffie-Hellman key exchange ciphersuite MUST\240NOT be used, and \(2\) the verification of) A
0 -643.8 M
(the server certificate provided from the server MUST be performed. ) S
0 -643.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 14 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 15 15
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /47 /DEST pdfmark
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /48 /DEST pdfmark
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(7.) S
[/View [/XYZ -4 757.0 null] /Dest /124 /DEST pdfmark
( Decision Procedure for ) S
(Clients) S
0 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.688058 0 32 0 0 (To securely implement the protocol, the user client must be careful about accepting the authenticated) A
0 -55.4 M
1.28593755 0 32 0 0 (responses from the server. This also holds true for the reception of "normal responses" from HTTP) A
0 -68.6 M
(servers. ) S
0 -92.8 M
3.08919263 0 32 0 0 (Clients SHOULD implement a decision procedure equivalent to the one shown below. \(Unless) A
0 -106 M
1.42940843 0 32 0 0 (implementers understand what is required for the security, they should not alter this.\) In particular,) A
0 -119.2 M
0.892578125 0 32 0 0 (clients SHOULD\240NOT accept "normal responses" unless explicitly allowed below. The labels on the) A
0 -132.4 M
0.119977675 0 32 0 0 (steps are for informational purposes only. Action entries within each step are checked in top-to-bottom) A
0 -145.6 M
(order, and the first clause satisfied SHOULD be taken. ) S
11 -169.8 M
(Step 1 \(step_new_request\): ) S
33 -183 M
1.3976562 0 32 0 0 (If the client software needs to access a new Web resource, check whether the resource is) A
33 -196.2 M
3.08894229 0 32 0 0 (expected to be inside some authentication realm for which the user has already been) A
33 -209.4 M
(authenticated by the authentication scheme. If yes, go to Step 2. Otherwise, go to Step 5. ) S
11 -222.6 M
(Step 2: ) S
33 -235.8 M
0.988020837 0 32 0 0 (Check whether there is an available sid for the authentication realm you expect. If there is) A
33 -249 M
(one, go to Step 3. Otherwise, go to Step 4. ) S
11 -262.2 M
(Step 3 \(step_send_vfy_1\): ) S
33 -275.4 M
(Send a req-VFY-C request. ) S
44 -286 M
gsave
0 setgray
newpath
44.0 -285.97 2.75 0 360 arc
closepath
fill
grestore
55 -289.6 M
0.395833343 0 32 0 0 (If you receive a 401-INIT message with a different authentication realm than expected,) A
55 -302.8 M
(go to Step 6. ) S
44 -313.4 M
gsave
0 setgray
newpath
44.0 -313.370026 2.75 0 360 arc
closepath
fill
grestore
55 -317 M
(If you receive a 401-STALE message, go to Step 9. ) S
44 -327.6 M
gsave
0 setgray
newpath
44.0 -327.570038 2.75 0 360 arc
closepath
fill
grestore
55 -331.2 M
(If you receive a 401-INIT message, go to Step 13. ) S
44 -341.8 M
gsave
0 setgray
newpath
44.0 -341.77005 2.75 0 360 arc
closepath
fill
grestore
55 -345.4 M
(If you receive a 200-VFY-S message, go to Step 14. ) S
44 -356 M
gsave
0 setgray
newpath
44.0 -355.970062 2.75 0 360 arc
closepath
fill
grestore
55 -359.6 M
(If you receive a normal response, go to Step ) S
(11.) S
11 -372.8 M
(Step 4 \(step_send_kex1_1\): ) S
33 -386 M
(Send a req-KEX-C1 request. ) S
44 -396.6 M
gsave
0 setgray
newpath
44.0 -396.570099 2.75 0 360 arc
closepath
fill
grestore
55 -400.2 M
0.395833343 0 32 0 0 (If you receive a 401-INIT message with a different authentication realm than expected,) A
55 -413.4 M
(go to Step 6. ) S
44 -424 M
gsave
0 setgray
newpath
44.0 -423.970123 2.75 0 360 arc
closepath
fill
grestore
55 -427.6 M
(If you receive a 401-KEX-S1 message, go to Step 10. ) S
44 -438.2 M
gsave
0 setgray
newpath
44.0 -438.170135 2.75 0 360 arc
closepath
fill
grestore
55 -441.8 M
0.990792394 0 32 0 0 (If you receive a 401-INIT message with the same authentication realm, go to Step 13) A
55 -455 M
(\(see Note 1\). ) S
44 -465.6 M
gsave
0 setgray
newpath
44.0 -465.57016 2.75 0 360 arc
closepath
fill
grestore
55 -469.2 M
(If you receive a normal response, go to Step ) S
(11.) S
11 -482.4 M
(Step 5 \(step_send_normal_1\): ) S
33 -495.6 M
(Send a request without any authentication headers related to this specification. ) S
44 -506.2 M
gsave
0 setgray
newpath
44.0 -506.170197 2.75 0 360 arc
closepath
fill
grestore
55 -509.8 M
(If you receive a 401-INIT message, go to Step 6. ) S
44 -520.4 M
gsave
0 setgray
newpath
44.0 -520.370178 2.75 0 360 arc
closepath
fill
grestore
55 -524 M
(If you receive a normal response, go to Step ) S
(11.) S
11 -537.2 M
(Step 6 \(step_rcvd_init\): ) S
33 -550.4 M
6.4281249 0 32 0 0 (Check whether you know the user's authentication credential for the requested) A
33 -563.6 M
(authentication realm. If yes, go to Step 7. Otherwise, go to Step 12. ) S
11 -576.8 M
(Step 7: ) S
33 -590 M
0.988020837 0 32 0 0 (Check whether there is an available sid for the authentication realm you expect. If there is) A
33 -603.2 M
(one, go to Step 8. Otherwise, go to Step 9. ) S
11 -616.4 M
(Step 8 \(step_send_vfy\): ) S
33 -629.6 M
(Send a req-VFY-C request. ) S
44 -640.2 M
gsave
0 setgray
newpath
44.0 -640.170288 2.75 0 360 arc
closepath
fill
grestore
55 -643.8 M
(If you receive a 401-STALE message, go to Step 9. ) S
44 -654.4 M
gsave
0 setgray
newpath
44.0 -654.3703 2.75 0 360 arc
closepath
fill
grestore
55 -658 M
(If you receive a 401-INIT message, go to Step 13. ) S
55 -659 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 15 -) S
0 setgray
110 -8 M
grestore
pgsave restore N
%%Page: 16 16
%%PageResources: font Times-Roman Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
44 -9.6 M
gsave
0 setgray
newpath
44.0 -9.57000065 2.75 0 360 arc
closepath
fill
grestore
55 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(If you receive a 200-VFY-S message, go to Step ) S
(14.) S
11 -26.4 M
11 0 Nf
(Step 9 \(step_send_kex1\): ) S
33 -39.6 M
(Send a req-KEX-C1 request. ) S
44 -50.2 M
gsave
0 setgray
newpath
44.0 -50.170002 2.75 0 360 arc
closepath
fill
grestore
55 -53.8 M
(If you receive a 401-KEX-S1 message, go to Step 10. ) S
44 -64.4 M
gsave
0 setgray
newpath
44.0 -64.37 2.75 0 360 arc
closepath
fill
grestore
55 -68 M
(If you receive a 401-INIT message, go to Step 13 \(See Note ) S
(1\).) S
11 -81.2 M
(Step 10 \(step_rcvd_kex1\): ) S
33 -94.4 M
(Send a req-VFY-C request. ) S
44 -105 M
gsave
0 setgray
newpath
44.0 -104.969994 2.75 0 360 arc
closepath
fill
grestore
55 -108.6 M
(If you receive a 401-INIT message, go to Step 13. ) S
44 -119.2 M
gsave
0 setgray
newpath
44.0 -119.169991 2.75 0 360 arc
closepath
fill
grestore
55 -122.8 M
(If you receive a 200-VFY-S message, go to Step ) S
(14.) S
11 -136 M
(Step 11 \(step_rcvd_normal\): ) S
33 -149.2 M
4.3088727 0 32 0 0 (The requested resource is out of the authenticated area. The client will be in the) A
33 -162.4 M
0.308203131 0 32 0 0 ("UNAUTHENTICATED" status. If the response contains a request for authentications other) A
33 -175.6 M
(than the specified scheme, it MAY be handled normally. ) S
11 -188.8 M
(Step 12 \(step_rcvd_init_unknown\): ) S
33 -202 M
0.881310105 0 32 0 0 (The requested resource requires a authentication, and the user is not yet authenticated. The) A
33 -215.2 M
0.303059906 0 32 0 0 (client will be in the "AUTH-REQUESTED" status, and is RECOMMENDED to process the) A
33 -228.4 M
0.403738827 0 32 0 0 (content sent from the server, and to ask user for any user's authentication credentials. When) A
33 -241.6 M
(those are supplied from the user, proceed to Step 9. ) S
11 -254.8 M
(Step 13 \(step_rcvd_init_failed\): ) S
33 -268 M
1.37286937 0 32 0 0 (For some reason the authentication failed: possibly the used authentication credentials are) A
33 -281.2 M
2.15351558 0 32 0 0 (invalid for the authenticated resource. Forget such authentication credentials \(or disable,) A
33 -294.4 M
0.931315124 0 32 0 0 (whichever appropriate for the specific kind of credentials\) for the authentication realm and) A
33 -307.6 M
(go to Step 12. ) S
11 -320.8 M
(Step 14 \(step_rcvd_vfy\): ) S
33 -334 M
11 0 Nf
0.790096521 0 32 0 0 (Check the validity of the received ) A
0.790096521 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.790096521 0 32 0 0 (s) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.790096521 0 32 0 0 ( value. If it is equal to the expected value, it means) A
0.0 -2.2 RM
33 -349.4 M
9.73082352 0 32 0 0 (that the server authentication has succeeded. The client will be in the) A
33 -362.6 M
("AUTH-SUCCEEDED" status. ) S
33 -375.8 M
(If the value is unexpected, it is a fatal communication error. ) S
11 -389 M
(Note 1: ) S
33 -402.2 M
1.1484375 0 32 0 0 (These transitions MAY be accepted by clients, but NOT\240RECOMMENDED for servers to ) A
33 -415.4 M
(initiate.) S
0 -439.6 M
1.1690104 0 32 0 0 (Any kind of response \(including a normal response\) other than those shown in the above procedure) A
0 -452.8 M
0.491350442 0 32 0 0 (SHOULD be interpreted as a fatal communication error, and in such cases the clients SHOULD\240NOT) A
0 -466 M
0.624442 0 32 0 0 (process any data \(response body and other content-related headers\) sent from the server. However, to) A
0 -479.2 M
0.473632812 0 32 0 0 (handle exceptional error cases, clients MAY accept a message without an Authentication-Info header,) A
0 -492.4 M
0.842773438 0 32 0 0 (if it is a Server-Error \(5xx\) status. The client will be in the "UNAUTHENTICATED" status in these) A
0 -505.6 M
(cases. ) S
0 -529.8 M
gsave
newpath
0 -530.9 M
36.9609375 0 RL
stroke
grestore
(Figure\2404) S
[/Rect [-1.0 -532.550171 37.9609375 -520.450195] /Subtype /Link /Border [0 0 0] /Dest /49 /ANN pdfmark
( shows a diagram of the client-side state. ) S
0 -540.8 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -551.8 M
[/View [/XYZ -4 205.199829 null] /Dest /49 /DEST pdfmark
0 -551.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 16 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 17 17
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -394 M
gsave
0.0 -394.0 translate
/IS 1 D
save
0 0 M
IS IS scale
/showpage {}D
-71 -427 translate
/tgifdict 53 dict def
tgifdict begin
/tgifarrowtipdict 8 dict def
tgifarrowtipdict /mtrx matrix put
/TGAT % tgifarrowtip
{ tgifarrowtipdict begin
/dy exch def
/dx exch def
/h exch def
/w exch def
/y exch def
/x exch def
/savematrix mtrx currentmatrix def
x y translate
dy dx atan rotate
0 0 moveto
w neg h lineto
w neg h neg lineto
savematrix setmatrix
end
} def
/TGMAX
{ exch dup 3 1 roll exch dup 3 1 roll gt { pop } { exch pop } ifelse
} def
/TGMIN
{ exch dup 3 1 roll exch dup 3 1 roll lt { pop } { exch pop } ifelse
} def
/TGSW { stringwidth pop } def
/bd { bind def } bind def
/GS { gsave } bd
/GR { grestore } bd
/NP { newpath } bd
/CP { closepath } bd
/CHP { charpath } bd
/CT { curveto } bd
/L { lineto } bd
/RL { rlineto } bd
/M { moveto } bd
/RM { rmoveto } bd
/S { stroke } bd
/F { fill } bd
/TR { translate } bd
/RO { rotate } bd
/SC { scale } bd
/MU { mul } bd
/DI { div } bd
/DU { dup } bd
/NE { neg } bd
/AD { add } bd
/SU { sub } bd
/PO { pop } bd
/EX { exch } bd
/CO { concat } bd
/CL { clip } bd
/EC { eoclip } bd
/EF { eofill } bd
/IM { image } bd
/IMM { imagemask } bd
/ARY { array } bd
/SG { setgray } bd
/RG { setrgbcolor } bd
/SD { setdash } bd
/W { setlinewidth } bd
/SM { setmiterlimit } bd
/SLC { setlinecap } bd
/SLJ { setlinejoin } bd
/SH { show } bd
/FF { findfont } bd
/MS { makefont setfont } bd
/AR { arcto 4 {pop} repeat } bd
/CURP { currentpoint } bd
/FLAT { flattenpath strokepath clip newpath } bd
/TGSM { tgiforigctm setmatrix } def
/TGRM { savematrix setmatrix } def
end
tgifdict begin
/tgifsavedpage save def
1 SM
1 W
0 SG
72 0 MU 72 11.602 MU TR
72 128 DI 100.000 MU 100 DI DU NE SC
GS
/tgiforigctm matrix currentmatrix def
NP
0 SG
GS
1 W
250 45 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NEW REQUEST) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NEW REQUEST) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
NP
250 95 M
180 125 L
250 155 L
320 125 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
250 120 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(the requested URI) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(the requested URI) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(known to be authed?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(known to be authed?) SH
GR
GR
0 SG
GS
NP
250 50 M
45 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 95 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 95 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
250 95 8.000 3.000 0 45 TGAT
CP F
GR
0 SG
GS
GS
NP
684 100 M
700 100 700 150 16 AR
700 134 L
700 150 600 150 16 AR
616 150 L
600 150 600 100 16 AR
600 116 L
600 100 700 100 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
650 120 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(normal request) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(normal request) SH
GR
GR
0 SG
GS
NP
600 105 M
-35 -55 atan DU cos 8.000 MU 545 exch SU
exch sin 8.000 MU 70 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
545 70 8.000 3.000 -55 -35 TGAT
1 SG CP F
0 SG
NP
545 70 8.000 3.000 -55 -35 TGAT
CP F
GR
NP
0 SG
GS
1 W
480 75 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
320 125 M
0 280 atan DU cos 8.000 MU 600 exch SU
exch sin 8.000 MU 125 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
600 125 8.000 3.000 280 0 TGAT
1 SG CP F
0 SG
NP
600 125 8.000 3.000 280 0 TGAT
CP F
GR
NP
0 SG
GS
1 W
535 100 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal response) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal response) SH
GR
GR
0 SG
NP
650 195 M
580 225 L
650 255 L
720 225 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
650 220 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(credentials) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(credentials) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(known?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(known?) SH
GR
GR
0 SG
GS
NP
650 150 M
45 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 195 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 195 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
650 195 8.000 3.000 0 45 TGAT
CP F
GR
NP
0 SG
GS
1 W
655 165 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-INIT) SH
GR
GR
0 SG
GS
NP
590 230 M
25 -55 atan DU cos 8.000 MU 535 exch SU
exch sin 8.000 MU 255 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
535 255 8.000 3.000 -55 25 TGAT
1 SG CP F
0 SG
NP
535 255 8.000 3.000 -55 25 TGAT
CP F
GR
NP
0 SG
GS
1 W
475 260 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
NP
0 SG
GS
1 W
570 230 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
NP
0 SG
GS
1 W
330 120 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
0 SG
NP
250 295 M
180 325 L
250 355 L
320 325 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
250 320 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) SH
GR
GR
0 SG
GS
NP
250 155 M
140 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 295 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 295 8.000 3.000 0 140 TGAT
1 SG CP F
0 SG
NP
250 295 8.000 3.000 0 140 TGAT
CP F
GR
0 SG
GS
GS
NP
284 400 M
300 400 300 450 16 AR
300 434 L
300 450 200 450 16 AR
216 450 L
200 450 200 400 16 AR
200 416 L
200 400 300 400 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
250 420 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-VFY-C) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-VFY-C) SH
GR
GR
0 SG
GS
NP
250 355 M
45 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 400 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 400 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
250 400 8.000 3.000 0 45 TGAT
CP F
GR
NP
0 SG
GS
1 W
190 715 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
200 430 M
180 480 L
215 0 atan DU cos 8.000 MU 180 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
180 695 8.000 3.000 0 215 TGAT
1 SG CP F
0 SG
NP
180 695 8.000 3.000 0 215 TGAT
CP F
GR
NP
0 SG
GS
1 W
225 640 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal resonse) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal resonse) SH
GR
GR
0 SG
GS
NP
300 425 M
0 90 atan DU cos 8.000 MU 390 exch SU
exch sin 8.000 MU 425 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
390 425 8.000 3.000 90 0 TGAT
1 SG CP F
0 SG
NP
390 425 8.000 3.000 90 0 TGAT
CP F
GR
NP
0 SG
GS
1 W
345 420 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-INIT) SH
GR
GR
NP
0 SG
GS
1 W
450 430 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) TGSW
AD
/Times-Roman FF [12 0 0 -12 0 0] MS
(:) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(:) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(forget credentials) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(forget credentials) SH
GR
GR
0 SG
GS
NP
180 325 M
180 460 L
250 480 L
20 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 500 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 500 8.000 3.000 0 20 TGAT
1 SG CP F
0 SG
NP
250 500 8.000 3.000 0 20 TGAT
CP F
GR
0 SG
GS
GS
NP
284 500 M
300 500 300 550 16 AR
300 534 L
300 550 200 550 16 AR
216 550 L
200 550 200 500 16 AR
200 516 L
200 500 300 500 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
250 520 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-KEX-C1) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-KEX-C1) SH
GR
GR
NP
0 SG
GS
1 W
170 335 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
0 SG
GS
NP
200 525 M
180 555 L
140 0 atan DU cos 8.000 MU 180 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
180 695 8.000 3.000 0 140 TGAT
1 SG CP F
0 SG
NP
180 695 8.000 3.000 0 140 TGAT
CP F
GR
0 SG
GS
NP
450 600 M
-150 0 atan DU cos 8.000 MU 450 exch SU
exch sin 8.000 MU 450 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
450 450 8.000 3.000 0 -150 TGAT
1 SG CP F
0 SG
NP
450 450 8.000 3.000 0 -150 TGAT
CP F
GR
NP
0 SG
GS
1 W
455 580 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-INIT) SH
GR
GR
NP
0 SG
GS
1 W
450 720 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_SUCCEED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_SUCCEED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
250 550 M
80 150 atan DU cos 8.000 MU 400 exch SU
exch sin 8.000 MU 630 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
400 630 8.000 3.000 150 80 TGAT
1 SG CP F
0 SG
NP
400 630 8.000 3.000 150 80 TGAT
CP F
GR
0 SG
GS
NP
295 445 M
250 105 atan DU cos 8.000 MU 400 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
400 695 8.000 3.000 105 250 TGAT
1 SG CP F
0 SG
NP
400 695 8.000 3.000 105 250 TGAT
CP F
GR
NP
0 SG
GS
1 W
340 547 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-VFY-S) SH
GR
GR
NP
0 SG
GS
1 W
280 580 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-KEX-S1) TGSW
AD
GR
NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-KEX-S1) SH
GR
GR
0 SG
GS
GS
NP
484 600 M
500 600 500 650 16 AR
500 634 L
500 650 400 650 16 AR
416 650 L
400 650 400 600 16 AR
400 616 L
400 600 500 600 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
450 620 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-VFY-C) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-VFY-C) SH
GR
GR
NP
0 SG
GS
1 W
455 662 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-VFY-S) SH
GR
GR
0 SG
GS
NP
450 650 M
45 0 atan DU cos 8.000 MU 450 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
450 695 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
450 695 8.000 3.000 0 45 TGAT
CP F
GR
0 SG
NP
650 295 M
580 325 L
650 355 L
720 325 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
650 320 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) SH
GR
GR
0 SG
GS
GS
NP
684 400 M
700 400 700 450 16 AR
700 434 L
700 450 600 450 16 AR
616 450 L
600 450 600 400 16 AR
600 416 L
600 400 700 400 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
650 420 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-VFY-C) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-VFY-C) SH
GR
GR
0 SG
GS
NP
650 355 M
45 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 400 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 400 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
650 400 8.000 3.000 0 45 TGAT
CP F
GR
0 SG
GS
GS
NP
684 500 M
700 500 700 550 16 AR
700 534 L
700 550 600 550 16 AR
616 550 L
600 550 600 500 16 AR
600 516 L
600 500 700 500 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
650 520 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-KEX-C1) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-KEX-C1) SH
GR
GR
0 SG
GS
NP
650 255 M
40 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 295 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 295 8.000 3.000 0 40 TGAT
1 SG CP F
0 SG
NP
650 295 8.000 3.000 0 40 TGAT
CP F
GR
NP
0 SG
GS
1 W
520 420 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-INIT) SH
GR
GR
0 SG
GS
NP
600 425 M
0 -90 atan DU cos 8.000 MU 510 exch SU
exch sin 8.000 MU 425 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
510 425 8.000 3.000 -90 0 TGAT
1 SG CP F
0 SG
NP
510 425 8.000 3.000 -90 0 TGAT
CP F
GR
0 SG
GS
NP
720 325 M
720 465 L
650 480 L
20 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 500 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 500 8.000 3.000 0 20 TGAT
1 SG CP F
0 SG
NP
650 500 8.000 3.000 0 20 TGAT
CP F
GR
NP
0 SG
GS
1 W
620 580 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-KEX-S1) SH
GR
GR
0 SG
GS
NP
650 550 M
75 -150 atan DU cos 8.000 MU 500 exch SU
exch sin 8.000 MU 625 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
500 625 8.000 3.000 -150 75 TGAT
1 SG CP F
0 SG
NP
500 625 8.000 3.000 -150 75 TGAT
CP F
GR
0 SG
GS
NP
605 445 M
250 -105 atan DU cos 8.000 MU 500 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
500 695 8.000 3.000 -105 250 TGAT
1 SG CP F
0 SG
NP
500 695 8.000 3.000 -105 250 TGAT
CP F
GR
NP
0 SG
GS
1 W
560 547 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-VFY-S) TGSW
AD
GR
NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-VFY-S) SH
GR
GR
0 SG
GS
NP
300 440 M
65 305 atan DU cos 8.000 MU 605 exch SU
exch sin 8.000 MU 505 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
605 505 8.000 3.000 305 65 TGAT
1 SG CP F
0 SG
NP
605 505 8.000 3.000 305 65 TGAT
CP F
GR
0 SG
GS
NP
625 450 M
50 0 atan DU cos 8.000 MU 625 exch SU
exch sin 8.000 MU 500 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
625 500 8.000 3.000 0 50 TGAT
1 SG CP F
0 SG
NP
625 500 8.000 3.000 0 50 TGAT
CP F
GR
NP
0 SG
GS
1 W
350 475 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-STALE) SH
GR
GR
NP
0 SG
GS
1 W
630 465 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-STALE) SH
GR
GR
NP
0 SG
GS
1 W
730 320 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
NP
0 SG
GS
1 W
665 265 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
235 165 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
265 365 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
635 365 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
775 45 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(USER/PASS INPUTED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(USER/PASS INPUTED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
780 50 M
780 470 L
35 -85 atan DU cos 8.000 MU 695 exch SU
exch sin 8.000 MU 505 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
695 505 8.000 3.000 -85 35 TGAT
1 SG CP F
0 SG
NP
695 505 8.000 3.000 -85 35 TGAT
CP F
GR
0 SG
GS
NP
295 405 M
330 355 L
330 180 L
0 325 atan DU cos 8.000 MU 655 exch SU
exch sin 8.000 MU 180 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
655 180 8.000 3.000 325 0 TGAT
1 SG CP F
0 SG
NP
655 180 8.000 3.000 325 0 TGAT
CP F
GR
NP
0 SG
GS
1 W
345 160 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-INIT) SH
GR
0 15 RM
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
( with different realm ) SH
GR
GR
0 SG
GS
NP
295 505 M
330 460 L
330 355 L
TGSM
1 W
S
GR
NP
0 SG
GS
1 W
195 105 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(1\)) SH
GR
GR
NP
0 SG
GS
1 W
200 325 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(2\)) SH
GR
GR
NP
0 SG
GS
1 W
210 415 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(3\)) SH
GR
GR
NP
0 SG
GS
1 W
210 515 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(4\)) SH
GR
GR
NP
0 SG
GS
1 W
610 115 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(5\)) SH
GR
GR
NP
0 SG
GS
1 W
605 330 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(7\)) SH
GR
GR
NP
0 SG
GS
1 W
610 415 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(8\)) SH
GR
GR
NP
0 SG
GS
1 W
610 515 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(9\)) SH
GR
GR
NP
0 SG
GS
1 W
600 230 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(6\)) SH
GR
GR
NP
0 SG
GS
1 W
390 75 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(11\)) SH
GR
GR
NP
0 SG
GS
1 W
130 695 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(11\)) SH
GR
GR
NP
0 SG
GS
1 W
415 240 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(12\)) SH
GR
GR
NP
0 SG
GS
1 W
395 410 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(13\)) SH
GR
GR
NP
0 SG
GS
1 W
410 615 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(10\)) SH
GR
GR
NP
0 SG
GS
1 W
410 700 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(14\)) SH
GR
GR
GR
tgifsavedpage restore
end
showpage
restore
grestore
399.0 0.0 RM
169 -416.9 M
%%IncludeResource: font Times-Bold
7.63889 2 Nf
(\240Figure\2404: State diagram for ) S
(clients\240) S
0 -430.8 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -441.8 M
[/View [/XYZ -4 315.151398 null] /Dest /50 /DEST pdfmark
0 -441.8 M
[/View [/XYZ -4 315.151398 null] /Dest /51 /DEST pdfmark
0 -460.8 M
15 2 Nf
(8.) S
[/View [/XYZ -4 314.151398 null] /Dest /125 /DEST pdfmark
( Decision Procedure for ) S
(Servers) S
0 -485 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.0256076381 0 32 0 0 (Each server SHOULD have a table of session states. This table need not be persistent over a long term;) A
0 -498.2 M
0.69255513 0 32 0 0 (it MAY be cleared upon server restart, reboot, or others. Each entry in the table SHOULD contain at) A
0 -511.4 M
(least the following information: ) S
11 -532 M
gsave
0 setgray
newpath
11.0 -532.018616 2.75 0 360 arc
closepath
fill
grestore
22 -535.6 M
(The session identifier, the value of the sid parameter. ) S
11 -546.2 M
gsave
0 setgray
newpath
11.0 -546.218628 2.75 0 360 arc
closepath
fill
grestore
22 -549.8 M
(The algorithm used. ) S
11 -560.4 M
gsave
0 setgray
newpath
11.0 -560.41864 2.75 0 360 arc
closepath
fill
grestore
22 -564 M
(The authentication realm. ) S
11 -574.6 M
gsave
0 setgray
newpath
11.0 -574.618652 2.75 0 360 arc
closepath
fill
grestore
22 -578.2 M
(The state of the protocol: one of "key exchanging", "authenticated", "rejected", or "inactive". ) S
11 -588.8 M
gsave
0 setgray
newpath
11.0 -588.818665 2.75 0 360 arc
closepath
fill
grestore
22 -592.4 M
(The user name received from the client ) S
11 -603 M
gsave
0 setgray
newpath
11.0 -603.018677 2.75 0 360 arc
closepath
fill
grestore
22 -606.6 M
(The boolean flag noting whether or not the session is fake. ) S
11 -617.2 M
gsave
0 setgray
newpath
11.0 -617.218689 2.75 0 360 arc
closepath
fill
grestore
22 -620.8 M
11 0 Nf
(When the state is "key exchanging", the values of ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( and ) S
(S) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(. ) S
0.0 -2.2 RM
11 -633.6 M
gsave
0 setgray
newpath
11.0 -633.618713 2.75 0 360 arc
closepath
fill
grestore
22 -637.2 M
(When the state is "authenticated", the following information: ) S
33 -647.8 M
gsave
0 setgray
newpath
33.0 -647.818726 2.75 0 360 arc
closepath
stroke
grestore
44 -651.4 M
(The value of the session secret z ) S
33 -662 M
gsave
0 setgray
newpath
33.0 -662.018738 2.75 0 360 arc
closepath
stroke
grestore
44 -665.6 M
(The largest nc received from the client \(largest-nc\) ) S
44 -666.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 17 -) S
0 setgray
88 -8 M
grestore
pgsave restore N
%%Page: 18 18
%%PageResources: font Times-Roman Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
33 -9.6 M
gsave
0 setgray
newpath
33.0 -9.57000065 2.75 0 360 arc
closepath
stroke
grestore
44 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
3.39531255 0 32 0 0 (For each possible nc values between \(largest-nc\240-\240nc-window\240+\2401\) and max_nc, a flag) A
44 -26.4 M
11 0 Nf
(whether or not a request with the corresponding nc has been received. ) S
0 -50.6 M
(The table MAY contain other information. ) S
0 -74.8 M
(Servers SHOULD respond to the client requests according to the following procedure: ) S
11 -95.4 M
gsave
0 setgray
newpath
11.0 -95.37 2.75 0 360 arc
closepath
fill
grestore
22 -99 M
(When the server receives a normal request: ) S
33 -109.6 M
gsave
0 setgray
newpath
33.0 -109.57 2.75 0 360 arc
closepath
stroke
grestore
44 -113.2 M
(If the requested resource is not protected by the authentication, send a normal response. ) S
33 -123.8 M
gsave
0 setgray
newpath
33.0 -123.77 2.75 0 360 arc
closepath
stroke
grestore
44 -127.4 M
(If the resource is protected by the authentication, send a 401-INIT ) S
(response.) S
11 -138 M
gsave
0 setgray
newpath
11.0 -137.97 2.75 0 360 arc
closepath
fill
grestore
22 -141.6 M
(When the server receives a req-KEX-C1 request: ) S
33 -152.2 M
gsave
0 setgray
newpath
33.0 -152.17 2.75 0 360 arc
closepath
stroke
grestore
44 -155.8 M
(If the requested resource is not protected by the authentication, send a normal response. ) S
33 -166.4 M
gsave
0 setgray
newpath
33.0 -166.37 2.75 0 360 arc
closepath
stroke
grestore
44 -170 M
0.0323660709 0 32 0 0 (If the authentication realm specified in the req-KEX-C1 request is not the expected one, send) A
44 -183.2 M
(a 401-INIT response. ) S
33 -193.8 M
gsave
0 setgray
newpath
33.0 -193.769989 2.75 0 360 arc
closepath
stroke
grestore
44 -197.4 M
(If the server cannot validate the parameter kc1, send a 401-INIT response. ) S
33 -208 M
gsave
0 setgray
newpath
33.0 -207.969986 2.75 0 360 arc
closepath
stroke
grestore
44 -211.6 M
0.818638384 0 32 0 0 (If the received user name is either invalid, unknown or unacceptable, create a new session,) A
44 -224.8 M
11 0 Nf
1.6470052 0 32 0 0 (mark it a "fake" session, compute a random value as ) A
1.6470052 0 32 0 0 (K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
1.6470052 0 32 0 0 (s1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
1.6470052 0 32 0 0 (, and send a fake 401-KEX-S1) A
0.0 -2.2 RM
44 -240.2 M
0.152043268 0 32 0 0 (response. \(Note: the server SHOULD\240NOT send a 401-INIT response in this case, because it) A
44 -253.4 M
1.08854163 0 32 0 0 (will leak the information to the client that the specified user will not be accepted. Instead,) A
44 -266.6 M
(postpone it to the response for the next req-VFY-C request.\) ) S
33 -277.2 M
gsave
0 setgray
newpath
33.0 -277.169983 2.75 0 360 arc
closepath
stroke
grestore
44 -280.8 M
11 0 Nf
(Otherwise, create a new session, compute ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( and send a 401-KEX-S1 ) S
(response.) S
0.0 -2.2 RM
22 -296.2 M
(The created session has the "key exchanging" state. ) S
11 -306.8 M
gsave
0 setgray
newpath
11.0 -306.77002 2.75 0 360 arc
closepath
fill
grestore
22 -310.4 M
(When the server receives a req-VFY-C request: ) S
33 -321 M
gsave
0 setgray
newpath
33.0 -320.970032 2.75 0 360 arc
closepath
stroke
grestore
44 -324.6 M
(If the requested resource is not protected by the authentication, send a normal response. ) S
33 -335.2 M
gsave
0 setgray
newpath
33.0 -335.170044 2.75 0 360 arc
closepath
stroke
grestore
44 -338.8 M
0.468471 0 32 0 0 (If the authentication realm specified in the req-VFY-C request is not the expected one, send) A
44 -352 M
(a 401-INIT ) S
(response.) S
22 -365.2 M
0.752197266 0 32 0 0 (If none of above holds true, the server will lookup the session corresponding to the received sid) A
22 -378.4 M
(and the authentication realm. ) S
33 -389 M
gsave
0 setgray
newpath
33.0 -388.970093 2.75 0 360 arc
closepath
stroke
grestore
44 -392.6 M
0.59260112 0 32 0 0 (If the session corresponding to the received sid could not be found, or it is in the "inactive") A
44 -405.8 M
(state, send a 401-STALE response. ) S
33 -416.4 M
gsave
0 setgray
newpath
33.0 -416.370117 2.75 0 360 arc
closepath
stroke
grestore
44 -420 M
(If the session is in the "rejected" state, send either a 401-INIT or a 401-STALE message. ) S
33 -430.6 M
gsave
0 setgray
newpath
33.0 -430.570129 2.75 0 360 arc
closepath
stroke
grestore
44 -434.2 M
2.48291016 0 32 0 0 (If the session is in the "authenticated" state, and the request has an nc value that was) A
44 -447.4 M
0.671549499 0 32 0 0 (previously received from the client, send a 401-STALE message. The session SHOULD be) A
44 -460.6 M
(changed to the "inactive" status. ) S
33 -471.2 M
gsave
0 setgray
newpath
33.0 -471.170166 2.75 0 360 arc
closepath
stroke
grestore
44 -474.8 M
0.138157889 0 32 0 0 (If the nc value in the request is larger than the nc-max parameter sent from the server, or if it) A
44 -488 M
0.262319714 0 32 0 0 (is not larger then \(largest-nc - nc-window\) \(when in "authenticated" status\), the server MAY) A
44 -501.2 M
0.4765625 0 32 0 0 (\(but not REQUIRED to\) send a 401-STALE message. The session SHOULD be changed to) A
44 -514.4 M
(the "inactive" status if so. ) S
33 -525 M
gsave
0 setgray
newpath
33.0 -524.970215 2.75 0 360 arc
closepath
stroke
grestore
44 -528.6 M
1.08065259 0 32 0 0 (If the session is a "fake" session, or if the received vkc is incorrect, then send a 401-INIT) A
44 -541.8 M
1.83203125 0 32 0 0 (response. If the session is in the "key exchanging" state, it SHOULD be changed to the) A
44 -555 M
0.769010425 0 32 0 0 ("rejected" state; otherwise, it MAY either be changed to the "rejected" status or kept in the) A
44 -568.2 M
(previous state. ) S
33 -578.8 M
gsave
0 setgray
newpath
33.0 -578.770264 2.75 0 360 arc
closepath
stroke
grestore
44 -582.4 M
0.131138399 0 32 0 0 (Otherwise, send a 200-VFY-S response. If the session was in the "key exchanging" state, the) A
44 -595.6 M
0.698102653 0 32 0 0 (session SHOULD be changed to an "authenticated" state. The maximum nc and nc flags of) A
44 -608.8 M
(the state SHOULD be updated properly. ) S
0 -633 M
1.42135417 0 32 0 0 (At any time, the server MAY change any state entries with both the "rejected" and "authenticated") A
0 -646.2 M
1.48177087 0 32 0 0 (statuses to the "inactive" status, and MAY discard any "inactive" states from the table. The entries) A
0 -659.4 M
0.936035156 0 32 0 0 (with the "key exchanging" status SHOULD be kept unless there is an emergency situation such as a) A
0 -659.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 18 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 19 19
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(server reboot or a table capacity overflow. ) S
0 -24.2 M
[/View [/XYZ -4 732.8 null] /Dest /52 /DEST pdfmark
0 -24.2 M
[/View [/XYZ -4 732.8 null] /Dest /53 /DEST pdfmark
0 -43.2 M
%%IncludeResource: font Times-Bold
15 2 Nf
(9.) S
[/View [/XYZ -4 731.8 null] /Dest /126 /DEST pdfmark
( Applying for Specific Authentication ) S
(Schemes) S
0 -67.4 M
11 0 Nf
0.355208337 0 32 0 0 (Each authentication scheme to use this template MUST at least provide a definitions for the following ) A
0 -80.6 M
(functions:) S
11 -101.2 M
gsave
0 setgray
newpath
11.0 -101.170006 2.75 0 360 arc
closepath
fill
grestore
22 -104.8 M
1.8203125 0 32 0 0 (A token for distinguishing the protocol from any others \(like Basic or Digest\), to be used as) A
22 -118 M
("auth-scheme"s. ) S
11 -128.6 M
gsave
0 setgray
newpath
11.0 -128.57 2.75 0 360 arc
closepath
fill
grestore
22 -132.2 M
(A set of tokens which will be allowed in the "algorithm" field of 401-INIT message. ) S
11 -142.8 M
gsave
0 setgray
newpath
11.0 -142.77 2.75 0 360 arc
closepath
fill
grestore
22 -146.4 M
(* A string preparation algorithm based on ) S
gsave
newpath
208.6 -147.5 M
121.804688 0 RL
stroke
grestore
([I-D.ietf-precis-framework]) S
[/Rect [207.621094 -149.15 331.425781 -137.049988] /Subtype /Link /Border [0 0 0] /Dest /77 /ANN pdfmark
(. \(see ) S
gsave
newpath
356.4 -147.5 M
46.7382812 0 RL
stroke
grestore
(Section\24011) S
[/Rect [355.378906 -149.15 404.117188 -137.049988] /Subtype /Link /Border [0 0 0] /Dest /58 /ANN pdfmark
(\)) S
0 -170.6 M
(Furthermore, for each sub-algorithm defined by the "algorithm" field, the following MUST be ) S
(defined:) S
11 -191.2 M
gsave
0 setgray
newpath
11.0 -191.17 2.75 0 360 arc
closepath
fill
grestore
22 -194.8 M
(A format for representing fields "kc1", "ks1", "vkc" and "vks". ) S
11 -205.4 M
gsave
0 setgray
newpath
11.0 -205.37 2.75 0 360 arc
closepath
fill
grestore
22 -209 M
11 0 Nf
(An algorithm for computing key exchange values ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(. ) S
0.0 -2.2 RM
11 -221.8 M
gsave
0 setgray
newpath
11.0 -221.769989 2.75 0 360 arc
closepath
fill
grestore
22 -225.4 M
(A hash function H to be used with the algorithm. ) S
11 -236 M
gsave
0 setgray
newpath
11.0 -235.969986 2.75 0 360 arc
closepath
fill
grestore
22 -239.6 M
11 0 Nf
0.507487 0 32 0 0 (* An algorithm for computing authentication confirmation values ) A
0.507487 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.507487 0 32 0 0 (c) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.507487 0 32 0 0 (, ) A
0.507487 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.507487 0 32 0 0 (s) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.507487 0 32 0 0 (. Values derived by) A
0.0 -2.2 RM
22 -255 M
1.69411063 0 32 0 0 (these algorithms SHOULD depend on the value of "nc" value used for each re-authenticating) A
22 -268.2 M
0.191162109 0 32 0 0 (requests using the same "sid". It SHOULD also depend on the value of the host verification value) A
22 -281.4 M
("vh". ) S
11 -292 M
gsave
0 setgray
newpath
11.0 -291.97 2.75 0 360 arc
closepath
fill
grestore
22 -295.6 M
(* If possible, an algorithm for computing "application channel binding keys" \(see ) S
gsave
newpath
383.1 -296.7 M
46.7382812 0 RL
stroke
grestore
(Section\24010) S
[/Rect [382.140625 -298.35 430.878906 -286.25] /Subtype /Link /Border [0 0 0] /Dest /56 /ANN pdfmark
(\).) S
0 -319.8 M
(For items marked with asterisks \(*\), default template functions are provided in the following ) S
(sections.) S
0 -330.8 M
[/View [/XYZ -4 426.199982 null] /Dest /54 /DEST pdfmark
0 -330.8 M
[/View [/XYZ -4 426.199982 null] /Dest /55 /DEST pdfmark
0 -346.4 M
13 2 Nf
(9.1.) S
[/View [/XYZ -4 426.199982 null] /Dest /127 /DEST pdfmark
( Default Functions for ) S
(Algorithms) S
0 -370.6 M
11 0 Nf
0.267968744 0 32 0 0 (If there are no specific \(such as compatibility\) requirements for values ) A
0.267968744 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.267968744 0 32 0 0 (c) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.267968744 0 32 0 0 (, ) A
0.267968744 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.267968744 0 32 0 0 (s) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.267968744 0 32 0 0 (, schemes MAY use) A
0.0 -2.2 RM
0 -386 M
11 0 Nf
2.09486604 0 32 0 0 (the default functions for computing ) A
2.09486604 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.09486604 0 32 0 0 (c) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.09486604 0 32 0 0 ( and ) A
2.09486604 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.09486604 0 32 0 0 (s) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.09486604 0 32 0 0 (, defined in this section. Designers of specific) A
0.0 -2.2 RM
0 -401.4 M
0.130468756 0 32 0 0 (authentication schemes MAY choose either to use this default function or not, depending on the nature) A
0 -414.6 M
(and the background settings for each authentication schemes to be defined. ) S
0 -438.8 M
(To use this default function, the algorithm specification SHALL specify the following ) S
(values.) S
11 -459.4 M
gsave
0 setgray
newpath
11.0 -459.370056 2.75 0 360 arc
closepath
fill
grestore
22 -463 M
(Shared secret z, to be computed in both server-side and client side using exchanged ) S
(values.) S
0 -487.2 M
11 0 Nf
(The values ) S
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( and ) S
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( are derived by the following equation. ) S
0.0 -2.2 RM
0 -513.6 M
11 0 Nf
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( = H\(octet\(4\) | ) S
(OCTETS\(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(\) | ) S
(OCTETS\(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(\) | OCTETS\(z\) | VI\(nc\) | VS\(vh\)\) ) S
0.0 -2.2 RM
0 -529 M
11 0 Nf
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( = H\(octet\(3\) | ) S
(OCTETS\(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(\) | ) S
(OCTETS\(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(\) | OCTETS\(z\) | VI\(nc\) | VS\(vh\)\) ) S
0.0 -2.2 RM
0 -555.4 M
(The definitions of any support functions in the above definitions are provided in ) S
gsave
newpath
355.2 -556.5 M
54.0703125 0 RL
stroke
grestore
(Appendix\240A) S
[/Rect [354.230469 -558.150085 410.300781 -546.05011] /Subtype /Link /Border [0 0 0] /Dest /93 /ANN pdfmark
(. ) S
0 -566.4 M
[/View [/XYZ -4 190.599915 null] /Dest /56 /DEST pdfmark
0 -566.4 M
[/View [/XYZ -4 190.599915 null] /Dest /57 /DEST pdfmark
0 -585.4 M
15 2 Nf
(10.) S
[/View [/XYZ -4 189.599915 null] /Dest /128 /DEST pdfmark
( Application Channel ) S
(Binding) S
0 -609.6 M
11 0 Nf
3.67695308 0 32 0 0 (Applications and upper-layer communication protocols may need authentication binding to the) A
0 -622.8 M
0.434495181 0 32 0 0 (HTTP-layer authenticated user. Such applications MAY use the following values as a standard shared) A
0 -636 M
(secret. ) S
0 -636 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 19 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 20 20
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.21328127 0 32 0 0 (These values are parameterized with an optional octet string \(t\) which may be arbitrarily chosen by) A
0 -26.4 M
(each applications or protocols. If there is no appropriate value to be specified, use a null string for t. ) S
0 -50.6 M
0.22115384 0 32 0 0 (The following definitions are assuming that the authentication scheme uses the default function shown) A
0 -63.8 M
11 0 Nf
3.14257812 0 32 0 0 (above for computing ) A
3.14257812 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
3.14257812 0 32 0 0 (c) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
3.14257812 0 32 0 0 ( and ) A
3.14257812 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
3.14257812 0 32 0 0 (s) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
3.14257812 0 32 0 0 (. If not, the specification for the authentication scheme is) A
0.0 -2.2 RM
0 -79.2 M
0.659667969 0 32 0 0 (encouraged to provide an alternative means for this purpose \(e.g., either to specify the function for z,) A
0 -92.4 M
11 0 Nf
(or to specify functions ) S
(b) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( and ) S
(b) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(2) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(\). ) S
0.0 -2.2 RM
0 -118.8 M
1.23270094 0 32 0 0 (For applications requiring binding to either an authenticated user or a shared-key session \(to ensure) A
0 -132 M
11 0 Nf
(that the requesting client is certainly authenticated\), the following value ) S
(b) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( MAY be used. ) S
0.0 -2.2 RM
0 -158.4 M
11 0 Nf
3.07830262 0 32 0 0 (b) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
3.07830262 0 32 0 0 (1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
3.07830262 0 32 0 0 ( = OCTETS\(H\(OCTETS\(H\(octet\(6\) | ) A
3.07830262 0 32 0 0 (OCTETS\(K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
3.07830262 0 32 0 0 (c1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
3.07830262 0 32 0 0 (\) | ) A
3.07830262 0 32 0 0 (OCTETS\(K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
3.07830262 0 32 0 0 (s1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
3.07830262 0 32 0 0 (\) | OCTETS\(z\) | VI\(0\) |) A
0.0 -2.2 RM
0 -173.8 M
(VS\(vh\)\)\) | VS\(t\)\)\). ) S
0 -198 M
0.0864257812 0 32 0 0 (For applications requiring binding to a specific request \(to ensure that the payload data is generated for) A
0 -211.2 M
11 0 Nf
(the exact HTTP request\), the following value ) S
(b) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(2) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( MAY be used. ) S
0.0 -2.2 RM
0 -237.6 M
11 0 Nf
2.63441062 0 32 0 0 (b) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.63441062 0 32 0 0 (2) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.63441062 0 32 0 0 ( = OCTETS\(H\(OCTETS\(H\(octet\(7\) | ) A
2.63441062 0 32 0 0 (OCTETS\(K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.63441062 0 32 0 0 (c1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.63441062 0 32 0 0 (\) | ) A
2.63441062 0 32 0 0 (OCTETS\(K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.63441062 0 32 0 0 (s1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.63441062 0 32 0 0 (\) | OCTETS\(z\) | VI\(nc\) |) A
0.0 -2.2 RM
0 -253 M
(VS\(vh\)\)\) | VS\(t\)\)\). ) S
0 -277.2 M
(The definitions of any support functions in the above definitions are provided in ) S
gsave
newpath
355.2 -278.3 M
54.0703125 0 RL
stroke
grestore
(Appendix\240A) S
[/Rect [354.230469 -279.949982 410.300781 -267.849976] /Subtype /Link /Border [0 0 0] /Dest /93 /ANN pdfmark
(. ) S
0 -288.2 M
[/View [/XYZ -4 468.800018 null] /Dest /58 /DEST pdfmark
0 -288.2 M
[/View [/XYZ -4 468.800018 null] /Dest /59 /DEST pdfmark
0 -307.2 M
%%IncludeResource: font Times-Bold
15 2 Nf
(11.) S
[/View [/XYZ -4 467.800018 null] /Dest /129 /DEST pdfmark
( String ) S
(Preparation) S
0 -331.4 M
11 0 Nf
0.953776062 0 32 0 0 (For proper internationalization of the protocol to be designed, each authentication scheme SHOULD) A
0 -344.6 M
0.373437494 0 32 0 0 (specify algorithms for preparing string inputs, unless the underlying protocol does not use any kind of) A
0 -357.8 M
(human-readable \(i.e., possibly-non-ASCII-capable\) identifier or passwords. ) S
0 -382 M
2.14955354 0 32 0 0 (If some algorithm is suitable for each specific authentication scheme in relation to other existing) A
0 -395.2 M
2.81676126 0 32 0 0 (protocols, that one should be used \(e.g. ) A
gsave
newpath
194.4 -396.3 M
50.1054688 0 RL
stroke
grestore
2.81676126 0 32 0 0 ([RFC4013]) A
[/Rect [193.4375 -397.950043 245.542969 -385.850037] /Subtype /Link /Border [0 0 0] /Dest /81 /ANN pdfmark
2.81676126 0 32 0 0 ( or ) A
gsave
newpath
264.8 -396.3 M
149.324219 0 RL
stroke
grestore
2.81676126 0 32 0 0 ([I-D.melnikov-precis-saslprepbis]) A
[/Rect [263.835938 -397.950043 415.160156 -385.850037] /Subtype /Link /Border [0 0 0] /Dest /78 /ANN pdfmark
2.81676126 0 32 0 0 ( for any) A
0 -408.4 M
(SASL-related authentication algorithms\). ) S
0 -432.6 M
2.51025391 0 32 0 0 (If there is no specific one to be chosen, schemes may choose the following default choice: use ) A
0 -445.8 M
gsave
newpath
0 -446.9 M
149.324219 0 RL
stroke
grestore
3.15576172 0 32 0 0 ([I-D.melnikov-precis-saslprepbis]) A
[/Rect [-1.0 -448.550079 150.324219 -436.450073] /Subtype /Link /Border [0 0 0] /Dest /78 /ANN pdfmark
3.15576172 0 32 0 0 ( for user-identifiers and passwords-like strings, except that case) A
0 -459 M
3.4729166 0 32 0 0 (mapping of upper-case and title-case letters will NOT be applied \(i.e., the string will be left) A
0 -472.2 M
(case-sensitive, for keeping compatibility with existing HTTP-based authentication mechanisms\). ) S
0 -483.2 M
[/View [/XYZ -4 273.799896 null] /Dest /60 /DEST pdfmark
0 -483.2 M
[/View [/XYZ -4 273.799896 null] /Dest /61 /DEST pdfmark
0 -502.2 M
15 2 Nf
(12.) S
[/View [/XYZ -4 272.799896 null] /Dest /130 /DEST pdfmark
( Application for Proxy ) S
(Authentication) S
0 -526.4 M
11 0 Nf
2.45284605 0 32 0 0 (The authentication scheme defined by using the previous sections can be applied also for proxy) A
0 -539.6 M
(authentications. In such cases, the following alterations MUST be ) S
(applied:) S
11 -560.2 M
gsave
0 setgray
newpath
11.0 -560.170105 2.75 0 360 arc
closepath
fill
grestore
22 -563.8 M
(The 407 status is to be sent and recognized for places where the 401 status is used, ) S
11 -574.4 M
gsave
0 setgray
newpath
11.0 -574.370117 2.75 0 360 arc
closepath
fill
grestore
22 -578 M
(Proxy-Authenticate: header is to be used for places where WWW-Authenticate: is used, ) S
11 -588.6 M
gsave
0 setgray
newpath
11.0 -588.570129 2.75 0 360 arc
closepath
fill
grestore
22 -592.2 M
(Proxy-Authorization: header is to be used for places where Authorization: is used, ) S
11 -602.8 M
gsave
0 setgray
newpath
11.0 -602.770142 2.75 0 360 arc
closepath
fill
grestore
22 -606.4 M
(Proxy-Authentication-Info: header is to be used for places where Authentication-Info: is used, ) S
11 -617 M
gsave
0 setgray
newpath
11.0 -616.970154 2.75 0 360 arc
closepath
fill
grestore
22 -620.6 M
2.30175781 0 32 0 0 (The omission of the path parameter of 401-KEX-S1 messages means that the authentication) A
22 -633.8 M
(realm will potentially cover all requests processed by the proxy, ) S
11 -644.4 M
gsave
0 setgray
newpath
11.0 -644.370178 2.75 0 360 arc
closepath
fill
grestore
22 -648 M
(The scheme, host name and the port of the proxy is used for host validation ) S
(tokens.) S
0 -648 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 20 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 21 21
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /62 /DEST pdfmark
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /63 /DEST pdfmark
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(13.) S
[/View [/XYZ -4 757.0 null] /Dest /131 /DEST pdfmark
( Methods to extend this protocol ) S
(template) S
0 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.49158657 0 32 0 0 (The template is designed to have fair amount of flexibility for implementing several authentication) A
0 -55.4 M
4.15842 0 32 0 0 (schemes. However, if needed, specifications defining authentication schemes or authentication) A
0 -68.6 M
1.73828125 0 32 0 0 (algorithms MAY define its own representations for the parameters "kc1", "ks1", "vkc", and "vks",) A
0 -81.8 M
1.79154825 0 32 0 0 (and/or add parameters to the messages containing those parameters in supplemental specifications,) A
0 -95 M
1.71397567 0 32 0 0 (provided that syntactic and semantic requirements in ) A
gsave
newpath
246.8 -96.1 M
41.2382812 0 RL
stroke
grestore
1.71397567 0 32 0 0 (Section\2403) A
[/Rect [245.84375 -97.75 289.082031 -85.65] /Subtype /Link /Border [0 0 0] /Dest /20 /ANN pdfmark
1.71397567 0 32 0 0 (, ) A
gsave
newpath
295.3 -96.1 M
138.335938 0 RL
stroke
grestore
1.71397567 0 32 0 0 ([I-D.ietf-httpbis-p1-messaging]) A
[/Rect [294.292969 -97.75 434.628906 -85.65] /Subtype /Link /Border [0 0 0] /Dest /75 /ANN pdfmark
1.71397567 0 32 0 0 ( and ) A
0 -108.2 M
gsave
newpath
0 -109.3 M
110.84375 0 RL
stroke
grestore
([I-D.ietf-httpbis-p7-auth]) S
[/Rect [-1.0 -110.95 111.84375 -98.85] /Subtype /Link /Border [0 0 0] /Dest /76 /ANN pdfmark
( are satisfied. ) S
0 -132.4 M
1.75150239 0 32 0 0 (If there is more than two round-trips of messages needed for performing authentication, messaged) A
0 -145.6 M
0.258522719 0 32 0 0 (named "req-KEX-C2", "401-KEX-S2", "req-KEX-C3" and so on MAY be used between 401-KEX-S1) A
0 -158.8 M
0.131770834 0 32 0 0 (and req-VFY-C messages. These messages MUST have algorithm, realm, and sid fields as the same as) A
0 -172 M
0.659877241 0 32 0 0 (req-KEX-C1 and 401-KEX-S1. and they SHOULD have fields named "kc2", "ks2", "kc3" and so on,) A
0 -185.2 M
(respectively. ) S
0 -209.4 M
0.771614611 0 32 0 0 (It is RECOMMENDED that any parameters starting with "kc", "ks", "vkc" or "vks" and followed by) A
0 -222.6 M
1.29270828 0 32 0 0 (decimal natural numbers \(e.g.\240kc2, ks0, vkc1, vks3 etc.\) are reserved for this purpose. It is strongly) A
0 -235.8 M
1.56460333 0 32 0 0 (encouraged that specifications for authentication schemes do not rename or remove there fields, as) A
0 -249 M
(they are important for distinguishing message types. ) S
0 -260 M
[/View [/XYZ -4 497.000031 null] /Dest /64 /DEST pdfmark
0 -260 M
[/View [/XYZ -4 497.000031 null] /Dest /65 /DEST pdfmark
0 -279 M
15 2 Nf
(14.) S
[/View [/XYZ -4 496.000031 null] /Dest /132 /DEST pdfmark
( IANA ) S
(Considerations) S
0 -303.2 M
11 0 Nf
([TBD]) S
0 -314.2 M
[/View [/XYZ -4 442.800018 null] /Dest /66 /DEST pdfmark
0 -314.2 M
[/View [/XYZ -4 442.800018 null] /Dest /67 /DEST pdfmark
0 -333.2 M
15 2 Nf
(15.) S
[/View [/XYZ -4 441.800018 null] /Dest /133 /DEST pdfmark
( Security ) S
(Considerations) S
0 -340.7 M
[/View [/XYZ -4 416.300018 null] /Dest /68 /DEST pdfmark
0 -340.7 M
[/View [/XYZ -4 416.300018 null] /Dest /69 /DEST pdfmark
0 -359.2 M
13 2 Nf
(15.1.) S
[/View [/XYZ -4 413.400024 null] /Dest /134 /DEST pdfmark
( Security ) S
(Properties) S
11 -379.8 M
gsave
0 setgray
newpath
11.0 -379.77 2.75 0 360 arc
closepath
fill
grestore
22 -383.4 M
11 0 Nf
1.16286063 0 32 0 0 (The protocol template relies on transport security including DNS integrity for data secrecy and) A
22 -396.6 M
0.259588063 0 32 0 0 (integrity, regardless of any underlying authentication algorithm to be used. HTTP/TLS SHOULD) A
22 -409.8 M
(be used where transport security is not assured and/or data secrecy is important. ) S
11 -420.4 M
gsave
0 setgray
newpath
11.0 -420.370026 2.75 0 360 arc
closepath
fill
grestore
22 -424 M
0.318509609 0 32 0 0 (When used with HTTP/TLS, if TLS server certificates are reliably verified, the protocol provides) A
22 -437.2 M
(true protection against active man-in-the-middle attacks. ) S
0 -448.2 M
[/View [/XYZ -4 308.799957 null] /Dest /70 /DEST pdfmark
0 -448.2 M
[/View [/XYZ -4 308.799957 null] /Dest /71 /DEST pdfmark
0 -463.8 M
13 2 Nf
(15.2.) S
[/View [/XYZ -4 308.799957 null] /Dest /135 /DEST pdfmark
( Denial-of-service Attacks to ) S
(Servers) S
0 -488 M
11 0 Nf
0.717529297 0 32 0 0 (The protocol requires a server-side table of active sessions, which may become a critical point of the) A
0 -501.2 M
3.09014416 0 32 0 0 (server resource consumptions. For proper operation, the protocol requires that at least one key) A
0 -514.4 M
0.789963961 0 32 0 0 (verification request is processed for each session identifier. After that, servers MAY discard sessions) A
0 -527.6 M
2.75721145 0 32 0 0 (internally at any time, without causing any operational problems to clients. Clients will silently) A
0 -540.8 M
(reestablishes a new session then. ) S
0 -565 M
1.60997593 0 32 0 0 (However, if a malicious client sends too many requests of key exchanges \(req-KEX-C1 messages\)) A
0 -578.2 M
1.55943084 0 32 0 0 (only, resource starvation might occur. In such critical situations, servers MAY discard any kind of) A
0 -591.4 M
0.661979139 0 32 0 0 (existing sessions regardless of these statuses. One way to mitigate such attacks are that servers MAY) A
0 -604.6 M
0.862304688 0 32 0 0 (have a number and a time limits for unverified pending key exchange requests \(in the "wa received") A
0 -617.8 M
(status\). ) S
0 -628.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 21 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 22 22
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.291927069 0 32 0 0 (This is a common weakness of authentication protocols with almost any kind of negotiations or states,) A
0 -26.4 M
3.79199219 0 32 0 0 (including Digest authentication method and most Cookie-based authentication implementations.) A
0 -39.6 M
0.597055316 0 32 0 0 (However, regarding the resource consumption, a situation on this authentication template is a slightly) A
0 -52.8 M
1.47070312 0 32 0 0 (better than the Digest, because HTTP requests without any kind of authentication requests will not) A
0 -66 M
2.98463535 0 32 0 0 (generate any kind of sessions. Session identifiers are only generated after a client starts a key) A
0 -79.2 M
3.7232573 0 32 0 0 (negotiation. It means that simple clients such as web crawlers will not accidentally consume) A
0 -92.4 M
(server-side resources for session managements. ) S
0 -103.4 M
[/View [/XYZ -4 653.6 null] /Dest /72 /DEST pdfmark
0 -103.4 M
[/View [/XYZ -4 653.6 null] /Dest /73 /DEST pdfmark
0 -122.4 M
%%IncludeResource: font Times-Bold
15 2 Nf
(16.) S
[/View [/XYZ -4 652.6 null] /Dest /136 /DEST pdfmark
( ) S
(References) S
0 -129.9 M
[/View [/XYZ -4 627.1 null] /Dest /74 /DEST pdfmark
0 -148.4 M
13 2 Nf
(16.1.) S
[/View [/XYZ -4 624.2 null] /Dest /137 /DEST pdfmark
( Normative ) S
(References) S
8 -175.7 M
11 0 Nf
([I-D.ietf-httpbis-p1-messaging]) S
[/View [/XYZ -4 842 null] /Dest /75 /DEST pdfmark
171.8 -175.7 M
(Fielding, R. and J. Reschke, ) S
(\233) S
gsave
newpath
302.8 -176.8 M
123.984375 0 RL
stroke
grestore
(Hypertext Transfer Protocol) S
[/Rect [301.82074 -178.45 427.805115 -166.349991] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p1-messaging-21.txt)] Cd /ANN pdfmark
171.8 -188.9 M
gsave
newpath
171.8 -190 M
150.585938 0 RL
stroke
grestore
(\(HTTP/1.1\): Message Syntax and ) S
gsave
newpath
322.4 -190 M
35.4453125 0 RL
stroke
grestore
(Routing) S
[/Rect [170.769974 -191.65 358.801208 -179.549988] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p1-messaging-21.txt)] Cd /ANN pdfmark
(,\234) S
171.8 -202.1 M
(draft-ietf-httpbis-p1-messaging-21 \(work in progress\),) S
171.8 -215.3 M
(October\2402012 ) S
(\() S
gsave
newpath
238.4 -216.4 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [237.352 -218.049988 260.730896 -205.949982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p1-messaging-21.txt)] Cd /ANN pdfmark
(\).) S
8 -237.1 M
([I-D.ietf-httpbis-p7-auth]) S
[/View [/XYZ -4 842 null] /Dest /76 /DEST pdfmark
171.8 -237.1 M
(Fielding, R. and J. Reschke, ) S
(\233) S
gsave
newpath
302.8 -238.2 M
123.984375 0 RL
stroke
grestore
(Hypertext Transfer Protocol) S
[/Rect [301.82074 -239.8 427.805115 -227.7] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p7-auth-21.txt)] Cd /ANN pdfmark
171.8 -250.3 M
gsave
newpath
171.8 -251.3 M
57.421875 0 RL
stroke
grestore
(\(HTTP/1.1\): ) S
gsave
newpath
229.2 -251.3 M
65.3632812 0 RL
stroke
grestore
(Authentication) S
[/Rect [170.769974 -253.0 295.555115 -240.9] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p7-auth-21.txt)] Cd /ANN pdfmark
(,\234 draft-ietf-httpbis-p7-auth-21) S
171.8 -263.5 M
(\(work in progress\), October\2402012 ) S
(\() S
gsave
newpath
325.1 -264.6 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [324.086365 -266.2 347.465271 -254.1] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p7-auth-21.txt)] Cd /ANN pdfmark
(\).) S
8 -285.2 M
([I-D.ietf-precis-framework]) S
[/View [/XYZ -4 842 null] /Dest /77 /DEST pdfmark
171.8 -285.2 M
(Saint-Andre, P. and M. Blanchet, ) S
(\233) S
gsave
newpath
326 -286.3 M
93.7773438 0 RL
stroke
grestore
(PRECIS Framework:) S
[/Rect [325.019958 -287.95 420.797302 -275.85] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-precis-framework-06.txt)] Cd /ANN pdfmark
171.8 -298.4 M
gsave
newpath
171.8 -299.5 M
260.222656 0 RL
stroke
grestore
(Preparation and Comparison of Internationalized Strings in) S
[/Rect [170.769974 -301.150024 432.992615 -289.050018] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-precis-framework-06.txt)] Cd /ANN pdfmark
171.8 -311.6 M
gsave
newpath
171.8 -312.7 M
54.6757812 0 RL
stroke
grestore
(Application ) S
gsave
newpath
226.4 -312.7 M
41.5429688 0 RL
stroke
grestore
(Protocols) S
[/Rect [170.769974 -314.350037 268.988708 -302.250031] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-precis-framework-06.txt)] Cd /ANN pdfmark
(,\234 draft-ietf-precis-framework-06) S
171.8 -324.8 M
(\(work in progress\), September\2402012 ) S
(\() S
gsave
newpath
336.7 -325.9 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [335.69574 -327.550049 359.074646 -315.450043] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-precis-framework-06.txt)] Cd /ANN pdfmark
(\).) S
8 -335.6 M
0.989591539 0.989591539 scale
-0.0 -11.0 RM
([I-D.melnikov-precis-saslprepbis]) S
[/View [/XYZ -4 842 null] /Dest /78 /DEST pdfmark
1.01051795 1.01051795 scale
171.8 -346.6 M
(Saint-Andre, P. and A. Melnikov, ) S
(\233) S
gsave
newpath
327.9 -347.6 M
69.3242188 0 RL
stroke
grestore
(Preparation and) S
[/Rect [326.859802 -349.3 398.184021 -337.199982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-melnikov-precis-saslprepbis-04.txt)] Cd /ANN pdfmark
171.8 -359.8 M
gsave
newpath
171.8 -360.9 M
237.625 0 RL
stroke
grestore
(Comparison of Internationalized Strings Representing) S
[/Rect [170.769974 -362.5 410.394958 -350.4] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-melnikov-precis-saslprepbis-04.txt)] Cd /ANN pdfmark
171.8 -373 M
gsave
newpath
171.8 -374.1 M
109.34375 0 RL
stroke
grestore
(Simple User Names and ) S
gsave
newpath
281.1 -374.1 M
46.4296875 0 RL
stroke
grestore
(Passwords) S
[/Rect [170.769974 -375.7 328.543396 -363.6] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-melnikov-precis-saslprepbis-04.txt)] Cd /ANN pdfmark
(,\234) S
171.8 -386.2 M
(draft-melnikov-precis-saslprepbis-04 \(work in progress\),) S
171.8 -399.4 M
(September\2402012 ) S
(\() S
gsave
newpath
250 -400.5 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [248.96138 -402.100037 272.340271 -390.000031] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-melnikov-precis-saslprepbis-04.txt)] Cd /ANN pdfmark
(\).) S
8 -421.1 M
([RFC2119]) S
[/View [/XYZ -4 842 null] /Dest /79 /DEST pdfmark
171.8 -421.1 M
gsave
newpath
171.8 -422.2 M
40.921875 0 RL
stroke
grestore
(Bradner, ) S
gsave
newpath
212.7 -422.2 M
8.86328125 0 RL
stroke
grestore
(S.) S
(, ) S
(\233) S
gsave
newpath
231.9 -422.2 M
169.523438 0 RL
stroke
grestore
(Key words for use in RFCs to Indicate) S
[/Rect [230.937943 -423.85 402.461365 -411.75] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2119)] Cd /ANN pdfmark
171.8 -434.3 M
gsave
newpath
171.8 -435.4 M
59.5585938 0 RL
stroke
grestore
(Requirement ) S
gsave
newpath
231.3 -435.4 M
29.3164062 0 RL
stroke
grestore
(Levels) S
[/Rect [170.769974 -437.050018 261.644958 -424.95] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2119)] Cd /ANN pdfmark
(,\234 BCP\24014, RFC\2402119, March\2401997 ) S
171.8 -447.5 M
(\() S
gsave
newpath
175.4 -448.6 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [174.43013 -450.250031 197.809036 -438.150024] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2119.txt)] Cd /ANN pdfmark
(, ) S
gsave
newpath
202.3 -448.6 M
31.15625 0 RL
stroke
grestore
(HTML) S
[/Rect [201.309036 -450.250031 234.465286 -438.150024] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/html/rfc2119.html)] Cd /ANN pdfmark
(, ) S
gsave
newpath
239 -448.6 M
24.4375 0 RL
stroke
grestore
(XML) S
[/Rect [237.965286 -450.250031 264.402771 -438.150024] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/xml/rfc2119.xml)] Cd /ANN pdfmark
(\).) S
8 -469.2 M
([RFC3629]) S
[/View [/XYZ -4 842 null] /Dest /80 /DEST pdfmark
171.8 -469.2 M
(Yergeau, F., ) S
(\233) S
gsave
newpath
233.8 -470.4 M
174.996094 0 RL
stroke
grestore
(UTF-8, a transformation format of ISO ) S
[/Rect [232.766068 -472.0 409.762146 -459.9] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc3629.txt)] Cd /ANN pdfmark
171.8 -482.5 M
gsave
newpath
171.8 -483.6 M
27.5 0 RL
stroke
grestore
(10646) S
[/Rect [170.769974 -485.2 200.269974 -473.1] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc3629)] Cd /ANN pdfmark
(,\234 STD\24063, RFC\2403629, November\2402003 ) S
(\() S
gsave
newpath
378.3 -483.6 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [377.293396 -485.2 400.672302 -473.1] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc3629.txt)] Cd /ANN pdfmark
(\).) S
8 -504.2 M
([RFC4013]) S
[/View [/XYZ -4 842 null] /Dest /81 /DEST pdfmark
171.8 -504.2 M
(Zeilenga, K., ) S
(\233) S
gsave
newpath
236.8 -505.3 M
203.707031 0 RL
stroke
grestore
(SASLprep: Stringprep Profile for User Names) S
[/Rect [235.820755 -506.95 441.527771 -494.85] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc4013)] Cd /ANN pdfmark
171.8 -517.4 M
gsave
newpath
171.8 -518.5 M
18.6328125 0 RL
stroke
grestore
(and ) S
gsave
newpath
190.4 -518.5 M
46.4296875 0 RL
stroke
grestore
(Passwords) S
[/Rect [170.769974 -520.15 237.832474 -508.050018] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc4013)] Cd /ANN pdfmark
(,\234 RFC\2404013, February\2402005 ) S
(\() S
gsave
newpath
369.1 -518.5 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [368.109802 -520.15 391.488708 -508.050018] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc4013.txt)] Cd /ANN pdfmark
(\).) S
8 -539.1 M
([RFC4648]) S
[/View [/XYZ -4 842 null] /Dest /82 /DEST pdfmark
171.8 -539.1 M
(Josefsson, S., ) S
(\233) S
gsave
newpath
238.7 -540.2 M
172.882812 0 RL
stroke
grestore
(The Base16, Base32, and Base64 Data ) S
[/Rect [237.668411 -541.9 412.551208 -529.800049] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc4648)] Cd /ANN pdfmark
171.8 -552.4 M
gsave
newpath
171.8 -553.5 M
46.4335938 0 RL
stroke
grestore
(Encodings) S
[/Rect [170.769974 -555.100037 219.203568 -543.000061] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc4648)] Cd /ANN pdfmark
(,\234 RFC\2404648, October\2402006 ) S
(\() S
gsave
newpath
346.2 -553.5 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [345.203552 -555.100037 368.582458 -543.000061] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc4648.txt)] Cd /ANN pdfmark
(\).) S
8 -574.1 M
([RFC5234]) S
[/View [/XYZ -4 842 null] /Dest /83 /DEST pdfmark
171.8 -574.1 M
(Crocker, D. and P. Overell, ) S
(\233) S
gsave
newpath
299.7 -575.2 M
124.328125 0 RL
stroke
grestore
(Augmented BNF for Syntax) S
[/Rect [298.738708 -576.850037 425.066833 -564.750061] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5234)] Cd /ANN pdfmark
171.8 -587.3 M
gsave
newpath
171.8 -588.4 M
68.1054688 0 RL
stroke
grestore
(Specifications: ) S
gsave
newpath
239.9 -588.4 M
29.3320312 0 RL
stroke
grestore
(ABNF) S
[/Rect [170.769974 -590.050049 270.207458 -577.950073] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5234)] Cd /ANN pdfmark
(,\234 STD\24068, RFC\2405234, January\2402008 ) S
171.8 -600.5 M
(\() S
gsave
newpath
175.4 -601.6 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [174.43013 -603.250061 197.809036 -591.150085] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5234.txt)] Cd /ANN pdfmark
(\).) S
8 -622.3 M
([RFC5246]) S
[/View [/XYZ -4 842 null] /Dest /84 /DEST pdfmark
171.8 -622.3 M
(Dierks, T. and E. Rescorla, ) S
(\233) S
gsave
newpath
298.5 -623.4 M
130.398438 0 RL
stroke
grestore
(The Transport Layer Security) S
[/Rect [297.516052 -625.000061 429.91449 -612.900085] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5246)] Cd /ANN pdfmark
171.8 -635.5 M
gsave
newpath
171.8 -636.6 M
107.203125 0 RL
stroke
grestore
(\(TLS\) Protocol Version ) S
gsave
newpath
279 -636.6 M
13.75 0 RL
stroke
grestore
(1.2) S
[/Rect [170.769974 -638.200073 293.723083 -626.100098] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5246)] Cd /ANN pdfmark
(,\234 RFC\2405246, August\2402008 ) S
171.8 -648.7 M
(\() S
gsave
newpath
175.4 -649.8 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [174.43013 -651.400085 197.809036 -639.30011] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5246.txt)] Cd /ANN pdfmark
(\).) S
0 -657.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 22 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 23 23
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /85 /DEST pdfmark
0 -15.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(16.2.) S
[/View [/XYZ -4 757.0 null] /Dest /138 /DEST pdfmark
( Informative ) S
(References) S
8 -31.9 M
0.989316 0.989316 scale
-0.0 -11.0 RM
%%IncludeResource: font Times-Roman
11 0 Nf
([ISO.10646-1.1993]) S
[/View [/XYZ -4 842 null] /Dest /86 /DEST pdfmark
1.01079941 1.01079941 scale
112.2 -42.9 M
(International Organization for Standardization, \233Information Technology -) S
112.2 -56.1 M
(Universal Multiple-octet coded Character Set \(UCS\) - Part 1: Architecture) S
112.2 -69.3 M
(and Basic Multilingual Plane,\234 ISO\240Standard 10646-1, ) S
(May\2401993.) S
8 -91 M
([ITU.X690.1994]) S
[/View [/XYZ -4 842 null] /Dest /87 /DEST pdfmark
112.2 -91 M
(International Telecommunications Union, \233Information Technology -) S
112.2 -104.3 M
(ASN.1 encoding rules: Specification of Basic Encoding Rules \(BER\),) S
112.2 -117.5 M
(Canonical Encoding Rules \(CER\) and Distinguished Encoding Rules) S
112.2 -130.7 M
(\(DER\),\234 ITU-T\240Recommendation X.690, ) S
(1994.) S
8 -152.4 M
([RFC2617]) S
[/View [/XYZ -4 842 null] /Dest /88 /DEST pdfmark
112.2 -152.4 M
gsave
newpath
112.2 -153.5 M
35.4335938 0 RL
stroke
grestore
(Franks, ) S
gsave
newpath
147.7 -153.5 M
7.02734375 0 RL
stroke
grestore
(J.) S
(, ) S
gsave
newpath
160.2 -153.5 M
67.7929688 0 RL
stroke
grestore
(Hallam-Baker, ) S
gsave
newpath
228 -153.5 M
8.86328125 0 RL
stroke
grestore
(P.) S
(, ) S
gsave
newpath
242.4 -153.5 M
45.8085938 0 RL
stroke
grestore
(Hostetler, ) S
gsave
newpath
288.2 -153.5 M
7.02734375 0 RL
stroke
grestore
(J.) S
(, ) S
gsave
newpath
300.7 -153.5 M
48.8515625 0 RL
stroke
grestore
(Lawrence, ) S
gsave
newpath
349.5 -153.5 M
8.86328125 0 RL
stroke
grestore
(S.) S
(, ) S
gsave
newpath
363.9 -153.5 M
32.3671875 0 RL
stroke
grestore
(Leach, ) S
gsave
newpath
396.3 -153.5 M
8.86328125 0 RL
stroke
grestore
(P.) S
(,) S
112.2 -165.6 M
(Luotonen, A., and ) S
gsave
newpath
194.7 -166.7 M
12.21875 0 RL
stroke
grestore
(L. ) S
gsave
newpath
206.9 -166.7 M
33.5898438 0 RL
stroke
grestore
(Stewart) S
(, ) S
(\233) S
gsave
newpath
250.9 -166.7 M
175.9375 0 RL
stroke
grestore
(HTTP Authentication: Basic and Digest) S
[/Rect [249.914215 -168.349991 427.851715 -156.249985] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2617)] Cd /ANN pdfmark
112.2 -178.8 M
gsave
newpath
112.2 -179.9 M
33.8945312 0 RL
stroke
grestore
(Access ) S
gsave
newpath
146.1 -179.9 M
65.3632812 0 RL
stroke
grestore
(Authentication) S
[/Rect [111.242348 -181.549988 212.500153 -169.449982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2617)] Cd /ANN pdfmark
(,\234 RFC\2402617, June\2401999 ) S
(\() S
gsave
newpath
324.2 -179.9 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [323.238434 -181.549988 346.61734 -169.449982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2617.txt)] Cd /ANN pdfmark
(, ) S
gsave
newpath
351.1 -179.9 M
31.15625 0 RL
stroke
grestore
(HTML) S
[/Rect [350.11734 -181.549988 383.27359 -169.449982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/html/rfc2617.html)] Cd /ANN pdfmark
(, ) S
gsave
newpath
387.8 -179.9 M
24.4375 0 RL
stroke
grestore
(XML) S
[/Rect [386.77359 -181.549988 413.21109 -169.449982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/xml/rfc2617.xml)] Cd /ANN pdfmark
(\).) S
8 -200.5 M
([RFC2818]) S
[/View [/XYZ -4 842 null] /Dest /89 /DEST pdfmark
112.2 -200.5 M
(Rescorla, E., ) S
(\233) S
gsave
newpath
176.1 -201.7 M
54.9765625 0 RL
stroke
grestore
(HTTP Over ) S
gsave
newpath
231 -201.7 M
19.5507812 0 RL
stroke
grestore
(TLS) S
[/Rect [175.070465 -203.299988 251.597809 -191.199982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2818)] Cd /ANN pdfmark
(,\234 RFC\2402818, May\2402000 ) S
(\() S
gsave
newpath
363.3 -201.7 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [362.33609 -203.299988 385.715 -191.199982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2818.txt)] Cd /ANN pdfmark
(\).) S
8 -222.3 M
([RFC5280]) S
[/View [/XYZ -4 842 null] /Dest /90 /DEST pdfmark
112.2 -222.3 M
(Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W.) S
112.2 -235.5 M
(Polk, ) S
(\233) S
gsave
newpath
142.8 -236.6 M
295.597656 0 RL
stroke
grestore
(Internet X.509 Public Key Infrastructure Certificate and Certificate) S
[/Rect [141.793121 -238.249985 439.390778 -226.149979] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5280)] Cd /ANN pdfmark
112.2 -248.7 M
gsave
newpath
112.2 -249.8 M
104.160156 0 RL
stroke
grestore
(Revocation List \(CRL\) ) S
gsave
newpath
216.4 -249.8 M
29.9257812 0 RL
stroke
grestore
(Profile) S
[/Rect [111.242348 -251.449982 247.328278 -239.349976] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5280)] Cd /ANN pdfmark
(,\234 RFC\2405280, May\2402008 ) S
(\() S
gsave
newpath
359.1 -249.8 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [358.066559 -251.449982 381.445465 -239.349976] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5280.txt)] Cd /ANN pdfmark
(\).) S
8 -270.4 M
([RFC5890]) S
[/View [/XYZ -4 842 null] /Dest /91 /DEST pdfmark
112.2 -270.4 M
(Klensin, J., ) S
(\233) S
gsave
newpath
169.4 -271.6 M
261.113281 0 RL
stroke
grestore
(Internationalized Domain Names for Applications \(IDNA\):) S
[/Rect [168.363434 -273.199982 431.476715 -261.099976] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5890)] Cd /ANN pdfmark
112.2 -283.6 M
gsave
newpath
112.2 -284.8 M
119.429688 0 RL
stroke
grestore
(Definitions and Document ) S
gsave
newpath
231.7 -284.8 M
50.6953125 0 RL
stroke
grestore
(Framework) S
[/Rect [111.242348 -286.4 283.36734 -274.3] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5890)] Cd /ANN pdfmark
(,\234 RFC\2405890, August\2402010 ) S
(\() S
gsave
newpath
406.7 -284.8 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [405.718903 -286.4 429.097809 -274.3] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5890.txt)] Cd /ANN pdfmark
(\).) S
8 -305.4 M
([RFC5929]) S
[/View [/XYZ -4 842 null] /Dest /92 /DEST pdfmark
112.2 -305.4 M
(Altman, J., Williams, N., and L. Zhu, ) S
(\233) S
gsave
newpath
284.2 -306.5 M
97.4492188 0 RL
stroke
grestore
(Channel Bindings for ) S
gsave
newpath
381.7 -306.5 M
19.5507812 0 RL
stroke
grestore
(TLS) S
[/Rect [283.218903 -308.15 402.218903 -296.05] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5929)] Cd /ANN pdfmark
(,\234) S
112.2 -318.6 M
(RFC\2405929, July\2402010 ) S
(\() S
gsave
newpath
212.8 -319.7 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [211.769684 -321.35 235.14859 -309.25] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5929.txt)] Cd /ANN pdfmark
(\).) S
0 -338.4 M
[/View [/XYZ -4 418.65 null] /Dest /93 /DEST pdfmark
0 -338.4 M
[/View [/XYZ -4 418.65 null] /Dest /94 /DEST pdfmark
0 -357.4 M
15 2 Nf
(Appendix) S
[/View [/XYZ -4 417.65 null] /Dest /139 /DEST pdfmark
( A. \(Normative\) Support Functions and ) S
(Notations) S
0 -381.6 M
11 0 Nf
1.49557292 0 32 0 0 (In this section we define several support functions and notations to be shared by several algorithm ) A
0 -394.8 M
(definitions:) S
0 -419 M
(The integers in the specification are in decimal, or in hexadecimal when prefixed with ) S
("0x".) S
0 -443.2 M
1.30009186 0 32 0 0 (The function octet\(c\) generates a single octet string whose code value is equal to c. The operator |,) A
0 -456.4 M
(when applied to octet strings, denotes the concatenation of two ) S
(operands.) S
0 -480.6 M
1.88616073 0 32 0 0 (The function VI encodes natural numbers into octet strings in the following manner: numbers are) A
0 -493.8 M
0.163783476 0 32 0 0 (represented in big-endian radix-128 string, where each digit is represented by a octet within 0x80\2350xff) A
0 -507 M
0.217285156 0 32 0 0 (except the last digit represented by a octet within 0x00\2350x7f. The first octet MUST\240NOT be 0x80. For) A
0 -520.2 M
0.31266275 0 32 0 0 (example, VI\(i\) = octet\(i\) for i < 128, and VI\(i\) = octet\(0x80 + \(i >> 7\)\) | octet\(i & 127\) for 128 <= i <) A
0 -533.4 M
1.04848349 0 32 0 0 (16384. This encoding is the same as the one used for the subcomponents of object identifiers in ) A
gsave
newpath
440.5 -534.5 M
13.4375 0 RL
stroke
grestore
1.04848349 0 32 0 0 (the) A
[/Rect [439.535156 -536.100098 454.972656 -524.000122] /Subtype /Link /Border [0 0 0] /Dest /87 /ANN pdfmark
0 -546.6 M
gsave
newpath
0 -547.7 M
33.7176323 0 RL
stroke
grestore
0.721540153 0 32 0 0 (ASN.1 ) A
gsave
newpath
33.7 -547.7 M
40.3203125 0 RL
stroke
grestore
0.721540153 0 32 0 0 (encoding) A
[/Rect [-1.0 -549.30011 75.0351562 -537.200134] /Subtype /Link /Border [0 0 0] /Dest /87 /ANN pdfmark
0.721540153 0 32 0 0 ( [ITU.X690.1994], and available as a "w" conversion in the pack function of several) A
0 -559.8 M
(scripting languages. ) S
0 -584 M
1.15820312 0 32 0 0 (The function VS encodes a variable-length octet string into a uniquely-decoded, self-delimited octet) A
0 -597.2 M
(string, as in the following manner: ) S
0 -621.4 M
(VS\(s\) = VI\(length\(s\)\) | s ) S
0 -632.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 23 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 24 24
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(where length\(s\) is a number of octets \(not characters\) in s. ) S
0 -37.4 M
(Some ) S
(examples:) S
11 -61.6 M
(VI\(0\) = "\\000" \(in C string ) S
(notation\)) S
11 -85.8 M
(VI\(100\) = ) S
("d") S
11 -110 M
(VI\(10000\) = ) S
("\\316\\020") S
11 -134.2 M
(VI\(1000000\) = ) S
("\\275\\204@") S
11 -158.4 M
(VS\(""\) = ) S
("\\000") S
11 -182.6 M
(VS\("Tea"\) = ) S
("\\003Tea") S
11 -206.8 M
(VS\("Caf<e acute>" [in UTF-8]\) = ) S
("\\005Caf\\303\\251") S
11 -231 M
(VS\([10000 "a"s]\) = "\\316\\020aaaaa..." \(10002 ) S
(octets\)) S
0 -255.2 M
2.7606535 0 32 0 0 ([Editorial note: Unlike the colon-separated notion used in the Basic/Digest HTTP authentication) A
0 -268.4 M
0.752790153 0 32 0 0 (scheme, the string generated by a concatenation of the VS-encoded strings will be unique, regardless) A
0 -281.6 M
(of the characters included in the strings to be encoded.] ) S
0 -305.8 M
1.48697913 0 32 0 0 (The function OCTETS converts an integer into the corresponding radix-256 big-endian octet string) A
0 -319 M
(having its natural length: See ) S
gsave
newpath
131 -320.1 M
57.7382812 0 RL
stroke
grestore
(Section\2403.1.3) S
[/Rect [130.035156 -321.750031 189.773438 -309.650024] /Subtype /Link /Border [0 0 0] /Dest /28 /ANN pdfmark
( for the definition of "natural length". ) S
0 -330 M
[/View [/XYZ -4 426.999969 null] /Dest /95 /DEST pdfmark
0 -330 M
[/View [/XYZ -4 426.999969 null] /Dest /96 /DEST pdfmark
0 -349 M
%%IncludeResource: font Times-Bold
15 2 Nf
(Appendix) S
[/View [/XYZ -4 425.999969 null] /Dest /140 /DEST pdfmark
( B. \(Informative\) Draft Remarks from ) S
(Authors) S
0 -373.2 M
11 0 Nf
(The following items are currently under consideration for future revisions by the authors. ) S
11 -393.8 M
gsave
0 setgray
newpath
11.0 -393.77005 2.75 0 360 arc
closepath
fill
grestore
22 -397.4 M
(Whether to keep TLS-key validation or not. ) S
11 -408 M
gsave
0 setgray
newpath
11.0 -407.970062 2.75 0 360 arc
closepath
fill
grestore
22 -411.6 M
0.371419281 0 32 0 0 (When keeping tls-key validation, whether to use ) A
gsave
newpath
240.2 -412.7 M
64.4811172 0 RL
stroke
grestore
0.371419281 0 32 0 0 ("TLS channel ) A
gsave
newpath
304.7 -412.7 M
38.09375 0 RL
stroke
grestore
0.371419281 0 32 0 0 (binding") A
[/Rect [239.234375 -414.350067 343.808594 -402.250061] /Subtype /Link /Border [0 0 0] /Dest /92 /ANN pdfmark
0.371419281 0 32 0 0 ( [RFC5929] for "tls-key") A
22 -424.8 M
4.10390615 0 32 0 0 (verification ) A
4.10390615 0 32 0 0 (\() A
gsave
newpath
83.2 -425.9 M
41.2382812 0 RL
stroke
grestore
4.10390615 0 32 0 0 (Section\2406) A
[/Rect [82.1992188 -427.550079 125.4375 -415.450073] /Subtype /Link /Border [0 0 0] /Dest /45 /ANN pdfmark
4.10390615 0 32 0 0 (\). Note that existing TLS implementations should be considered to) A
22 -438 M
(determine ) S
(this.) S
0 -449 M
[/View [/XYZ -4 307.999908 null] /Dest /97 /DEST pdfmark
0 -468 M
15 2 Nf
(Authors') S
[/View [/XYZ -4 306.999908 null] /Dest /141 /DEST pdfmark
( ) S
(Addresses) S
0 -493.3 M
11 0 Nf
(\240) S
44.6 -493.3 M
(Yutaka ) S
(Oiwa) S
0 -507.1 M
(\240) S
44.6 -507.1 M
(National Institute of Advanced Industrial Science and ) S
(Technology) S
0 -520.8 M
(\240) S
44.6 -520.8 M
(Research Institute for Secure ) S
(Systems) S
0 -534.6 M
(\240) S
44.6 -534.6 M
(Tsukuba Central ) S
(2) S
0 -548.3 M
(\240) S
44.6 -548.3 M
(1-1-1 ) S
(Umezono) S
0 -562.1 M
(\240) S
44.6 -562.1 M
(Tsukuba-shi, ) S
(Ibaraki) S
0 -575.8 M
(\240) S
44.6 -575.8 M
(JP) S
12.6 -589.6 M
(Email:\240) S
44.6 -589.6 M
gsave
newpath
44.6 -590.6 M
154.285156 0 RL
stroke
grestore
(mutual-auth-contact-ml@aist.go.jp) S
0 -603.3 M
(\240) S
44.6 -603.3 M
(\240) S
0 -617.1 M
(\240) S
44.6 -617.1 M
(Hajime ) S
(Watanabe) S
0 -630.8 M
(\240) S
44.6 -630.8 M
(National Institute of Advanced Industrial Science and ) S
(Technology) S
0 -644.6 M
(\240) S
44.6 -644.6 M
(\240) S
0 -658.3 M
(\240) S
44.6 -658.3 M
(Hiromitsu ) S
(Takagi) S
44.6 -658.3 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 24 -) S
0 setgray
89.3 -8 M
grestore
pgsave restore N
%%Page: 25 25
%%PageResources: font Times-Roman Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -11 M
%%IncludeResource: font Times-Roman
11 0 Nf
(\240) S
44.6 -11 M
(National Institute of Advanced Industrial Science and ) S
(Technology) S
0 -24.8 M
(\240) S
44.6 -24.8 M
(\240) S
0 -38.5 M
(\240) S
44.6 -38.5 M
(Boku ) S
(Kihara) S
0 -52.2 M
(\240) S
44.6 -52.2 M
(Lepidum Co. ) S
(Ltd.) S
0 -66 M
(\240) S
44.6 -66 M
(#602, Village Sasazuka ) S
(3) S
0 -79.8 M
(\240) S
44.6 -79.8 M
(1-30-3 ) S
(Sasazuka) S
0 -93.5 M
(\240) S
44.6 -93.5 M
(Shibuya-ku, ) S
(Tokyo) S
0 -107.2 M
(\240) S
44.6 -107.2 M
(JP) S
0 -121 M
(\240) S
44.6 -121 M
(\240) S
0 -134.8 M
(\240) S
44.6 -134.8 M
(Tatsuya ) S
(Hayashi) S
0 -148.5 M
(\240) S
44.6 -148.5 M
(Lepidum Co. ) S
(Ltd.) S
0 -162.2 M
(\240) S
44.6 -162.2 M
(\240) S
0 -176 M
(\240) S
44.6 -176 M
(Yuichi ) S
(Ioku) S
0 -189.8 M
(\240) S
44.6 -189.8 M
(Yahoo! Japan, ) S
(Inc.) S
0 -203.5 M
(\240) S
44.6 -203.5 M
(Midtown ) S
(Tower) S
0 -217.2 M
(\240) S
44.6 -217.2 M
(9-7-1 ) S
(Akasaka) S
0 -231 M
(\240) S
44.6 -231 M
(Minato-ku, ) S
(Tokyo) S
0 -244.8 M
(\240) S
44.6 -244.8 M
(JP) S
0 -258.5 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 25 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%EOF
| PAFTECH AB 2003-2026 | 2026-04-24 12:57:57 |