One document matched: draft-oiwa-httpbis-mutualauth-00.ps
%!PS-Adobe-3.0
%%Title: Mutual Authentication Protocol for HTTP
%%Creator: html2ps version 1.0 beta5
%%CreationDate: Mon Jun 4 10:42:20 2012
%%DocumentNeededResources: font Times-Roman Times-Bold Courier Courier-Oblique
%%+ font Helvetica
%%DocumentData: Clean7Bit
%%Orientation: Portrait
%%BoundingBox: 0 0 596 842
%%Pages: 36
%%EndComments
%%BeginProlog
/d {bind def} bind def
/D {def} d
/ie {ifelse} d
/E {exch} d
/t true D
/f false D
/FL [/Times-Roman
/Times-Italic
/Times-Bold
/Times-BoldItalic
/Courier
/Courier-Oblique
/Courier-Bold
/Courier-BoldOblique
/Helvetica
/Helvetica-Oblique
/Helvetica-Bold
/Helvetica-BoldOblique] D
/Cd {aload length 2 idiv dup dict begin {D} repeat currentdict end} D
/reencodeISO {
dup dup findfont dup length dict begin{1 index /FID ne{D}{pop pop}ie}forall
/Encoding ISOLatin1Encoding D currentdict end definefont} D
/ISOLatin1Encoding [
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright
/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash
/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon
/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N
/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright
/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m
/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef/.notdef
/.notdef/space/exclamdown/cent/sterling/currency/yen/brokenbar
/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot
/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior
/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine
/guillemotright/onequarter/onehalf/threequarters/questiondown
/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex
/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis
/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute
/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis
/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave
/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex
/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis
/yacute/thorn/ydieresis
] D
[128/backslash 129/parenleft 130/parenright 141/circumflex 142/tilde
143/perthousand 144/dagger 145/daggerdbl 146/Ydieresis 147/scaron 148/Scaron
149/oe 150/OE 151/guilsinglleft 152/guilsinglright 153/quotesinglbase
154/quotedblbase 155/quotedblleft 156/quotedblright 157/endash 158/emdash
159/trademark]
aload length 2 idiv 1 1 3 -1 roll{pop ISOLatin1Encoding 3 1 roll put}for
/colorimage where{pop}{
/colorimage {
pop pop /Pr E D {/Cv Pr D /Gr Cv length 3 idiv string D 0 1 Gr length 1 sub
{Gr E dup /i E 3 mul D Cv i get 0.299 mul Cv i 1 add get 0.587 mul add
Cv i 2 add get 0.114 mul add cvi put}for Gr} image} D
}ie
/pdfmark where{pop}{userdict /pdfmark /cleartomark load put}ie
/MySymbol 10 dict dup begin
/FontType 3 D /FontMatrix [.001 0 0 .001 0 0 ] D /FontBBox [25 -10 600 600] D
/Encoding 256 array D 0 1 255{Encoding exch /.notdef put}for
Encoding (e) 0 get /euro put
/Metrics 2 dict D Metrics begin
/.notdef 0 D
/euro 651 D
end
/BBox 2 dict D BBox begin
/.notdef [0 0 0 0] D
/euro [25 -10 600 600] D
end
/CharacterDefs 2 dict D CharacterDefs begin
/.notdef {} D
/euro{newpath 114 600 moveto 631 600 lineto 464 200 lineto 573 200 lineto
573 0 lineto -94 0 lineto 31 300 lineto -10 300 lineto closepath clip
50 setlinewidth newpath 656 300 moveto 381 300 275 0 360 arc stroke
-19 350 moveto 600 0 rlineto -19 250 moveto 600 0 rlineto stroke}d
end
/BuildChar{0 begin
/char E D /fontdict E D /charname fontdict /Encoding get char get D
fontdict begin
Metrics charname get 0 BBox charname get aload pop setcachedevice
CharacterDefs charname get exec
end
end}D
/BuildChar load 0 3 dict put /UniqueID 1 D
end
definefont pop
/Nf {dup 0 ge{FL E get}{-1 eq{/Symbol}{/MySymbol}ie}ie findfont
E scalefont setfont} D
/IP {currentfile picstr readhexstring pop} D
/WF t D
/F 1 D
/N {showpage} d
/RL {rlineto} d
/S {show} d
/L {lineto} d
/M {moveto} d
/A {awidthshow} d
/RM {rmoveto} d
%%EndProlog
%%BeginSetup
%%PaperSize: A4
WF{FL{reencodeISO D}forall}{4 1 FL length 1 sub{FL E get reencodeISO D}for}ie
/Symbol dup dup findfont dup length dict begin
{1 index /FID ne{D}{pop pop}ie}forall /Encoding [Encoding aload pop]
dup 128 /therefore put D currentdict end definefont D
[/Creator (html2ps version 1.0 beta5) /Author () /Keywords (HTTP, authentication) /Subject () /Title (Mutual Authentication Protocol for HTTP) /DOCINFO pdfmark
[/PageMode /UseOutlines /DOCVIEW pdfmark
[/Count 1 /Dest /161 /Title (Mutual Authentication Protocol for HTTP draft-oiwa-httpbis-mutualauth-00) /OUT pdfmark
[/Count 38 /Dest /162 /Title () /OUT pdfmark
[/Dest /162 /Title (Abstract) /OUT pdfmark
[/Dest /163 /Title (Status of this Memo) /OUT pdfmark
[/Dest /164 /Title (Copyright Notice) /OUT pdfmark
[/Dest /165 /Title (Table of Contents) /OUT pdfmark
[/Count -11 /Dest /166 /Title (1. Introduction) /OUT pdfmark
[/Dest /167 /Title (1.1. Relations to other technologies) /OUT pdfmark
[/Dest /168 /Title (1.1.1. Technologies updated or superceded by this proposal) /OUT pdfmark
[/Dest /169 /Title (1.1.1.1. HTTP Basic and Digest authentication) /OUT pdfmark
[/Dest /170 /Title (1.1.1.2. HTML Form authentication) /OUT pdfmark
[/Dest /171 /Title (1.1.2. Technologies not updated by this proposal) /OUT pdfmark
[/Dest /172 /Title (1.1.2.1. Federated identity/authorization management) /OUT pdfmark
[/Dest /173 /Title (1.1.2.2. HTTPS and HTTPS client-certificate authentication) /OUT pdfmark
[/Dest /174 /Title (1.1.2.3. Protocols for local identity-management frameworks) /OUT pdfmark
[/Dest /175 /Title (1.1.2.4. HTTP and HTTP authentication architecture) /OUT pdfmark
[/Dest /176 /Title (1.2. Terminology) /OUT pdfmark
[/Dest /177 /Title (1.3. Document Structure and Related Documents) /OUT pdfmark
[/Count -3 /Dest /178 /Title (2. Protocol Overview) /OUT pdfmark
[/Dest /179 /Title (2.1. Messages Overview) /OUT pdfmark
[/Dest /180 /Title (2.2. Typical Flows of the Protocol) /OUT pdfmark
[/Dest /181 /Title (2.3. Alternative Flows) /OUT pdfmark
[/Count -4 /Dest /182 /Title (3. Message Syntax) /OUT pdfmark
[/Dest /183 /Title (3.1. Values) /OUT pdfmark
[/Dest /184 /Title (3.1.1. Tokens) /OUT pdfmark
[/Dest /185 /Title (3.1.2. Strings) /OUT pdfmark
[/Dest /186 /Title (3.1.3. Numbers) /OUT pdfmark
[/Count -5 /Dest /187 /Title (4. Messages) /OUT pdfmark
[/Dest /188 /Title (4.1. 401-INIT and 401-STALE) /OUT pdfmark
[/Dest /189 /Title (4.2. req-KEX-C1) /OUT pdfmark
[/Dest /190 /Title (4.3. 401-KEX-S1) /OUT pdfmark
[/Dest /191 /Title (4.4. req-VFY-C) /OUT pdfmark
[/Dest /192 /Title (4.5. 200-VFY-S) /OUT pdfmark
[/Count -1 /Dest /193 /Title (5. Authentication Realms) /OUT pdfmark
[/Dest /194 /Title (5.1. Resolving Ambiguities) /OUT pdfmark
[/Dest /195 /Title (6. Session Management) /OUT pdfmark
[/Dest /196 /Title (7. Validation Methods) /OUT pdfmark
[/Dest /197 /Title (8. Authentication Extensions) /OUT pdfmark
[/Dest /198 /Title (9. Decision Procedure for Clients) /OUT pdfmark
[/Dest /199 /Title (10. Decision Procedure for Servers) /OUT pdfmark
[/Count -2 /Dest /200 /Title (11. Authentication Algorithms) /OUT pdfmark
[/Dest /201 /Title (11.1. Support Functions and Notations) /OUT pdfmark
[/Dest /202 /Title (11.2. Default Functions for Algorithms) /OUT pdfmark
[/Dest /203 /Title (12. Application Channel Binding) /OUT pdfmark
[/Dest /204 /Title (13. Application for Proxy Authentication) /OUT pdfmark
[/Dest /205 /Title (14. Methods to Extend This Protocol) /OUT pdfmark
[/Dest /206 /Title (15. IANA Considerations) /OUT pdfmark
[/Count -4 /Dest /207 /Title (16. Security Considerations) /OUT pdfmark
[/Dest /208 /Title (16.1. Security Properties) /OUT pdfmark
[/Dest /209 /Title (16.2. Denial-of-service Attacks to Servers) /OUT pdfmark
[/Dest /210 /Title (16.3. Implementation Considerations) /OUT pdfmark
[/Dest /211 /Title (16.4. Usage Considerations) /OUT pdfmark
[/Dest /212 /Title (17. Notice on Intellectual Properties) /OUT pdfmark
[/Count -2 /Dest /213 /Title (18. References) /OUT pdfmark
[/Dest /214 /Title (18.1. Normative References) /OUT pdfmark
[/Dest /215 /Title (18.2. Informative References) /OUT pdfmark
[/Dest /216 /Title (Appendix A. \(Informative\) Draft Remarks from Authors) /OUT pdfmark
[/Dest /217 /Title (Appendix B. \(Informative\) Draft Change Log) /OUT pdfmark
[/Dest /218 /Title (B.1. Changes in HttpBis Revision 00) /OUT pdfmark
[/Dest /219 /Title (B.2. Changes in Revision 12) /OUT pdfmark
[/Dest /220 /Title (B.3. Changes in Revision 11) /OUT pdfmark
[/Dest /221 /Title (B.4. Changes in Revision 10) /OUT pdfmark
[/Dest /222 /Title (B.5. Changes in Revision 09) /OUT pdfmark
[/Dest /223 /Title (B.6. Changes in Revision 08) /OUT pdfmark
[/Dest /224 /Title (B.7. Changes in Revision 07) /OUT pdfmark
[/Dest /225 /Title (B.8. Changes in Revision 06) /OUT pdfmark
[/Dest /226 /Title (B.9. Changes in Revision 05) /OUT pdfmark
[/Dest /227 /Title (B.10. Changes in Revision 04) /OUT pdfmark
[/Dest /228 /Title (B.11. Changes in Revision 03) /OUT pdfmark
[/Dest /229 /Title (B.12. Changes in Revision 02) /OUT pdfmark
[/Dest /230 /Title (B.13. Changes in Revision 01) /OUT pdfmark
[/Dest /231 /Title (Authors' Addresses) /OUT pdfmark
%%EndSetup
%%Page: 1 1
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 842 null] /Dest /0 /DEST pdfmark
0 -0 M
save
2.5 -13.5 M
%%IncludeResource: font Times-Roman
11 0 Nf
(Internet Engineering Task ) S
(Force) S
209.9 -13.5 M
(Y. ) S
(Oiwa) S
2.5 -32.2 M
(Internet-Draft) S
209.9 -32.2 M
(H. ) S
(Watanabe) S
2.5 -51 M
(Intended status: Standards ) S
(Track) S
209.9 -51 M
(H. ) S
(Takagi) S
2.5 -69.8 M
(Expires: December 6, ) S
(2012) S
209.9 -69.8 M
(RISEC, ) S
(AIST) S
2.5 -88.5 M
(\240) S
209.9 -88.5 M
(B. ) S
(Kihara) S
2.5 -107.2 M
(\240) S
209.9 -107.2 M
(T. ) S
(Hayashi) S
2.5 -126 M
(\240) S
209.9 -126 M
(Lepidum) S
2.5 -144.8 M
(\240) S
209.9 -144.8 M
(Y. ) S
(Ioku) S
2.5 -163.5 M
(\240) S
209.9 -163.5 M
(Yahoo! ) S
(Japan) S
2.5 -182.2 M
(\240) S
209.9 -182.2 M
(June 4, ) S
(2012) S
0 -187.5 M
restore
227 -202.7 M
[/View [/XYZ -4 842 null] /Dest /161 /DEST pdfmark
54.5 -221.7 M
%%IncludeResource: font Times-Bold
19 2 Nf
(Mutual Authentication Protocol for ) S
(HTTP) S
89.3 -244.5 M
(draft-oiwa-httpbis-mutualauth-00) S
0 -274.5 M
15 2 Nf
(Abstract) S
[/View [/XYZ -4 500.5 null] /Dest /162 /DEST pdfmark
0 -298.7 M
11 0 Nf
3.428267 0 32 0 0 (This document specifies a mutual authentication method for the Hyper-text Transport Protocol) A
0 -311.9 M
1.42717636 0 32 0 0 (\(HTTP\). This method provides a true mutual authentication between an HTTP client and an HTTP) A
0 -325.1 M
0.872514188 0 32 0 0 (server using password-based authentication. Unlike the Basic and Digest authentication methods, the) A
0 -338.3 M
0.794642866 0 32 0 0 (Mutual authentication method specified in this document assures the user that the server truly knows) A
0 -351.5 M
0.0869140625 0 32 0 0 (the user's encrypted password. This prevents common phishing attacks: a phishing attacker controlling) A
0 -364.7 M
0.398177087 0 32 0 0 (a fake website cannot convince a user that he authenticated to the genuine website. Furthermore, even) A
0 -377.9 M
1.0291667 0 32 0 0 (when a user authenticates to an illegitimate server, the server cannot gain any information about the) A
0 -391.1 M
0.26953125 0 32 0 0 (user's password. The Mutual authentication method is designed as an extension to the HTTP protocol,) A
0 -404.3 M
0.0888020843 0 32 0 0 (and is intended to replace the existing authentication methods used in HTTP \(the Basic method, Digest) A
0 -417.5 M
(method, and authentication using HTML forms\). ) S
0 -447.5 M
15 2 Nf
(Status) S
[/View [/XYZ -4 327.499878 null] /Dest /163 /DEST pdfmark
( of this ) S
(Memo) S
0 -471.7 M
11 0 Nf
(This Internet-Draft is submitted in full conformance with the provisions of BCP\24078 and ) S
(BCP\24079.) S
0 -495.9 M
0.34375 0 32 0 0 (Internet-Drafts are working documents of the Internet Engineering Task Force \(IETF\). Note that other) A
0 -509.1 M
0.389423072 0 32 0 0 (groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is) A
0 -522.3 M
(at ) S
(http://datatracker.ietf.org/drafts/current/.) S
0 -546.5 M
0.275781244 0 32 0 0 (Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced,) A
0 -559.7 M
1.51927078 0 32 0 0 (or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference) A
0 -572.9 M
(material or to cite them other than as \233work in ) S
(progress.\234) S
0 -597.1 M
(This Internet-Draft will expire on December 6, ) S
(2012.) S
0 -609.1 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 1 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 2 2
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(Copyright) S
[/View [/XYZ -4 757.0 null] /Dest /164 /DEST pdfmark
( ) S
(Notice) S
0 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(Copyright \(c\) 2012 IETF Trust and the persons identified as the document authors. All rights ) S
(reserved.) S
0 -66.4 M
3.1208334 0 32 0 0 (This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF) A
0 -79.6 M
1.34730113 0 32 0 0 (Documents \(http://trustee.ietf.org/license-info\) in effect on the date of publication of this document.) A
0 -92.8 M
0.819475472 0 32 0 0 (Please review these documents carefully, as they describe your rights and restrictions with respect to) A
0 -106 M
0.287109375 0 32 0 0 (this document. Code Components extracted from this document must include Simplified BSD License) A
0 -119.2 M
1.24951172 0 32 0 0 (text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as) A
0 -132.4 M
(described in the Simplified BSD ) S
(License.) S
0 -143.4 M
[/View [/XYZ -4 613.6 null] /Dest /1 /DEST pdfmark
0 -162.4 M
15 2 Nf
(Table) S
[/View [/XYZ -4 612.6 null] /Dest /165 /DEST pdfmark
( of ) S
(Contents) S
0 -186.6 M
gsave
newpath
0 -187.7 M
8.25 0 RL
stroke
grestore
11 0 Nf
(1.) S
[/Rect [-1.0 -189.349991 9.25 -177.249985] /Subtype /Link /Border [0 0 0] /Dest /2 /ANN pdfmark
(\240 ) S
(Introduction) S
0 -199.8 M
(\240\240\240\240) S
gsave
newpath
11 -200.9 M
16.5 0 RL
stroke
grestore
(1.1.) S
[/Rect [10.0 -202.549988 28.5 -190.449982] /Subtype /Link /Border [0 0 0] /Dest /4 /ANN pdfmark
(\240 Relations to other ) S
(technologies) S
0 -213 M
(\240\240\240\240\240\240\240\240) S
gsave
newpath
22 -214.1 M
24.75 0 RL
stroke
grestore
(1.1.1.) S
[/Rect [21.0 -215.749985 47.75 -203.649979] /Subtype /Link /Border [0 0 0] /Dest /6 /ANN pdfmark
(\240 Technologies updated or superceded by this ) S
(proposal) S
0 -226.2 M
(\240\240\240\240\240\240\240\240\240\240\240\240) S
gsave
newpath
33 -227.3 M
33.0 0 RL
stroke
grestore
(1.1.1.1.) S
[/Rect [32.0 -228.949982 67.0 -216.849976] /Subtype /Link /Border [0 0 0] /Dest /8 /ANN pdfmark
(\240 HTTP Basic and Digest ) S
(authentication) S
0 -239.4 M
(\240\240\240\240\240\240\240\240\240\240\240\240) S
gsave
newpath
33 -240.5 M
33.0 0 RL
stroke
grestore
(1.1.1.2.) S
[/Rect [32.0 -242.149979 67.0 -230.049973] /Subtype /Link /Border [0 0 0] /Dest /10 /ANN pdfmark
(\240 HTML Form ) S
(authentication) S
0 -252.6 M
(\240\240\240\240\240\240\240\240) S
gsave
newpath
22 -253.7 M
24.75 0 RL
stroke
grestore
(1.1.2.) S
[/Rect [21.0 -255.349976 47.75 -243.249969] /Subtype /Link /Border [0 0 0] /Dest /12 /ANN pdfmark
(\240 Technologies not updated by this ) S
(proposal) S
0 -265.8 M
(\240\240\240\240\240\240\240\240\240\240\240\240) S
gsave
newpath
33 -266.9 M
33.0 0 RL
stroke
grestore
(1.1.2.1.) S
[/Rect [32.0 -268.55 67.0 -256.449982] /Subtype /Link /Border [0 0 0] /Dest /14 /ANN pdfmark
(\240 Federated identity/authorization ) S
(management) S
0 -279 M
(\240\240\240\240\240\240\240\240\240\240\240\240) S
gsave
newpath
33 -280.1 M
33.0 0 RL
stroke
grestore
(1.1.2.2.) S
[/Rect [32.0 -281.75 67.0 -269.65] /Subtype /Link /Border [0 0 0] /Dest /16 /ANN pdfmark
(\240 HTTPS and HTTPS client-certificate ) S
(authentication) S
0 -292.2 M
(\240\240\240\240\240\240\240\240\240\240\240\240) S
gsave
newpath
33 -293.3 M
33.0 0 RL
stroke
grestore
(1.1.2.3.) S
[/Rect [32.0 -294.95 67.0 -282.85] /Subtype /Link /Border [0 0 0] /Dest /18 /ANN pdfmark
(\240 Protocols for local identity-management ) S
(frameworks) S
0 -305.4 M
(\240\240\240\240\240\240\240\240\240\240\240\240) S
gsave
newpath
33 -306.5 M
33.0 0 RL
stroke
grestore
(1.1.2.4.) S
[/Rect [32.0 -308.150024 67.0 -296.050018] /Subtype /Link /Border [0 0 0] /Dest /20 /ANN pdfmark
(\240 HTTP and HTTP authentication ) S
(architecture) S
0 -318.6 M
(\240\240\240\240) S
gsave
newpath
11 -319.7 M
16.5 0 RL
stroke
grestore
(1.2.) S
[/Rect [10.0 -321.350037 28.5 -309.250031] /Subtype /Link /Border [0 0 0] /Dest /22 /ANN pdfmark
(\240 ) S
(Terminology) S
0 -331.8 M
(\240\240\240\240) S
gsave
newpath
11 -332.9 M
16.5 0 RL
stroke
grestore
(1.3.) S
[/Rect [10.0 -334.550049 28.5 -322.450043] /Subtype /Link /Border [0 0 0] /Dest /24 /ANN pdfmark
(\240 Document Structure and Related ) S
(Documents) S
0 -345 M
gsave
newpath
0 -346.1 M
8.25 0 RL
stroke
grestore
(2.) S
[/Rect [-1.0 -347.750061 9.25 -335.650055] /Subtype /Link /Border [0 0 0] /Dest /26 /ANN pdfmark
(\240 Protocol ) S
(Overview) S
0 -358.2 M
(\240\240\240\240) S
gsave
newpath
11 -359.3 M
16.5 0 RL
stroke
grestore
(2.1.) S
[/Rect [10.0 -360.950073 28.5 -348.850067] /Subtype /Link /Border [0 0 0] /Dest /28 /ANN pdfmark
(\240 Messages ) S
(Overview) S
0 -371.4 M
(\240\240\240\240) S
gsave
newpath
11 -372.5 M
16.5 0 RL
stroke
grestore
(2.2.) S
[/Rect [10.0 -374.150085 28.5 -362.050079] /Subtype /Link /Border [0 0 0] /Dest /30 /ANN pdfmark
(\240 Typical Flows of the ) S
(Protocol) S
0 -384.6 M
(\240\240\240\240) S
gsave
newpath
11 -385.7 M
16.5 0 RL
stroke
grestore
(2.3.) S
[/Rect [10.0 -387.350098 28.5 -375.250092] /Subtype /Link /Border [0 0 0] /Dest /33 /ANN pdfmark
(\240 Alternative ) S
(Flows) S
0 -397.8 M
gsave
newpath
0 -398.9 M
8.25 0 RL
stroke
grestore
(3.) S
[/Rect [-1.0 -400.55011 9.25 -388.450104] /Subtype /Link /Border [0 0 0] /Dest /36 /ANN pdfmark
(\240 Message ) S
(Syntax) S
0 -411 M
(\240\240\240\240) S
gsave
newpath
11 -412.1 M
16.5 0 RL
stroke
grestore
(3.1.) S
[/Rect [10.0 -413.750122 28.5 -401.650116] /Subtype /Link /Border [0 0 0] /Dest /38 /ANN pdfmark
(\240 ) S
(Values) S
0 -424.2 M
(\240\240\240\240\240\240\240\240) S
gsave
newpath
22 -425.3 M
24.75 0 RL
stroke
grestore
(3.1.1.) S
[/Rect [21.0 -426.950134 47.75 -414.850128] /Subtype /Link /Border [0 0 0] /Dest /40 /ANN pdfmark
(\240 ) S
(Tokens) S
0 -437.4 M
(\240\240\240\240\240\240\240\240) S
gsave
newpath
22 -438.5 M
24.75 0 RL
stroke
grestore
(3.1.2.) S
[/Rect [21.0 -440.150146 47.75 -428.05014] /Subtype /Link /Border [0 0 0] /Dest /43 /ANN pdfmark
(\240 ) S
(Strings) S
0 -450.6 M
(\240\240\240\240\240\240\240\240) S
gsave
newpath
22 -451.7 M
24.75 0 RL
stroke
grestore
(3.1.3.) S
[/Rect [21.0 -453.350159 47.75 -441.250153] /Subtype /Link /Border [0 0 0] /Dest /45 /ANN pdfmark
(\240 ) S
(Numbers) S
0 -463.8 M
gsave
newpath
0 -464.9 M
8.25 0 RL
stroke
grestore
(4.) S
[/Rect [-1.0 -466.550171 9.25 -454.450165] /Subtype /Link /Border [0 0 0] /Dest /48 /ANN pdfmark
(\240 ) S
(Messages) S
0 -477 M
(\240\240\240\240) S
gsave
newpath
11 -478.1 M
16.5 0 RL
stroke
grestore
(4.1.) S
[/Rect [10.0 -479.750183 28.5 -467.650177] /Subtype /Link /Border [0 0 0] /Dest /50 /ANN pdfmark
(\240 401-INIT and ) S
(401-STALE) S
0 -490.2 M
(\240\240\240\240) S
gsave
newpath
11 -491.3 M
16.5 0 RL
stroke
grestore
(4.2.) S
[/Rect [10.0 -492.950195 28.5 -480.850189] /Subtype /Link /Border [0 0 0] /Dest /52 /ANN pdfmark
(\240 ) S
(req-KEX-C1) S
0 -503.4 M
(\240\240\240\240) S
gsave
newpath
11 -504.5 M
16.5 0 RL
stroke
grestore
(4.3.) S
[/Rect [10.0 -506.150208 28.5 -494.050201] /Subtype /Link /Border [0 0 0] /Dest /54 /ANN pdfmark
(\240 ) S
(401-KEX-S1) S
0 -516.6 M
(\240\240\240\240) S
gsave
newpath
11 -517.7 M
16.5 0 RL
stroke
grestore
(4.4.) S
[/Rect [10.0 -519.35022 28.5 -507.250214] /Subtype /Link /Border [0 0 0] /Dest /56 /ANN pdfmark
(\240 ) S
(req-VFY-C) S
0 -529.8 M
(\240\240\240\240) S
gsave
newpath
11 -530.9 M
16.5 0 RL
stroke
grestore
(4.5.) S
[/Rect [10.0 -532.550232 28.5 -520.450256] /Subtype /Link /Border [0 0 0] /Dest /58 /ANN pdfmark
(\240 ) S
(200-VFY-S) S
0 -543 M
gsave
newpath
0 -544.1 M
8.25 0 RL
stroke
grestore
(5.) S
[/Rect [-1.0 -545.750244 9.25 -533.650269] /Subtype /Link /Border [0 0 0] /Dest /60 /ANN pdfmark
(\240 Authentication ) S
(Realms) S
0 -556.2 M
(\240\240\240\240) S
gsave
newpath
11 -557.3 M
16.5 0 RL
stroke
grestore
(5.1.) S
[/Rect [10.0 -558.950256 28.5 -546.850281] /Subtype /Link /Border [0 0 0] /Dest /62 /ANN pdfmark
(\240 Resolving ) S
(Ambiguities) S
0 -569.4 M
gsave
newpath
0 -570.5 M
8.25 0 RL
stroke
grestore
(6.) S
[/Rect [-1.0 -572.150269 9.25 -560.050293] /Subtype /Link /Border [0 0 0] /Dest /64 /ANN pdfmark
(\240 Session ) S
(Management) S
0 -582.6 M
gsave
newpath
0 -583.7 M
8.25 0 RL
stroke
grestore
(7.) S
[/Rect [-1.0 -585.350281 9.25 -573.250305] /Subtype /Link /Border [0 0 0] /Dest /66 /ANN pdfmark
(\240 Validation ) S
(Methods) S
0 -595.8 M
gsave
newpath
0 -596.9 M
8.25 0 RL
stroke
grestore
(8.) S
[/Rect [-1.0 -598.550293 9.25 -586.450317] /Subtype /Link /Border [0 0 0] /Dest /68 /ANN pdfmark
(\240 Authentication ) S
(Extensions) S
0 -609 M
gsave
newpath
0 -610.1 M
8.25 0 RL
stroke
grestore
(9.) S
[/Rect [-1.0 -611.750305 9.25 -599.65033] /Subtype /Link /Border [0 0 0] /Dest /70 /ANN pdfmark
(\240 Decision Procedure for ) S
(Clients) S
0 -622.2 M
gsave
newpath
0 -623.3 M
13.75 0 RL
stroke
grestore
(10.) S
[/Rect [-1.0 -624.950317 14.75 -612.850342] /Subtype /Link /Border [0 0 0] /Dest /73 /ANN pdfmark
(\240 Decision Procedure for ) S
(Servers) S
0 -635.4 M
gsave
newpath
0 -636.5 M
13.75 0 RL
stroke
grestore
(11.) S
[/Rect [-1.0 -638.15033 14.75 -626.050354] /Subtype /Link /Border [0 0 0] /Dest /75 /ANN pdfmark
(\240 Authentication ) S
(Algorithms) S
0 -648.6 M
(\240\240\240\240) S
gsave
newpath
11 -649.7 M
22.0 0 RL
stroke
grestore
(11.1.) S
[/Rect [10.0 -651.350342 34.0 -639.250366] /Subtype /Link /Border [0 0 0] /Dest /77 /ANN pdfmark
(\240 Support Functions and ) S
(Notations) S
0 -661.8 M
(\240\240\240\240) S
gsave
newpath
11 -662.9 M
22.0 0 RL
stroke
grestore
(11.2.) S
[/Rect [10.0 -664.550354 34.0 -652.450378] /Subtype /Link /Border [0 0 0] /Dest /79 /ANN pdfmark
(\240 Default Functions for ) S
(Algorithms) S
0 -661.8 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 2 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 3 3
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
gsave
newpath
0 -14.3 M
13.75 0 RL
stroke
grestore
%%IncludeResource: font Times-Roman
11 0 Nf
(12.) S
[/Rect [-1.0 -15.9500008 14.75 -3.85000038] /Subtype /Link /Border [0 0 0] /Dest /81 /ANN pdfmark
(\240 Application Channel ) S
(Binding) S
0 -26.4 M
gsave
newpath
0 -27.5 M
13.75 0 RL
stroke
grestore
11 0 Nf
(13.) S
[/Rect [-1.0 -29.1500015 14.75 -17.0500011] /Subtype /Link /Border [0 0 0] /Dest /83 /ANN pdfmark
(\240 Application for Proxy ) S
(Authentication) S
0 -39.6 M
gsave
newpath
0 -40.7 M
13.75 0 RL
stroke
grestore
(14.) S
[/Rect [-1.0 -42.3500023 14.75 -30.2500019] /Subtype /Link /Border [0 0 0] /Dest /85 /ANN pdfmark
(\240 Methods to Extend This ) S
(Protocol) S
0 -52.8 M
gsave
newpath
0 -53.9 M
13.75 0 RL
stroke
grestore
(15.) S
[/Rect [-1.0 -55.5500031 14.75 -43.4500046] /Subtype /Link /Border [0 0 0] /Dest /87 /ANN pdfmark
(\240 IANA ) S
(Considerations) S
0 -66 M
gsave
newpath
0 -67.1 M
13.75 0 RL
stroke
grestore
(16.) S
[/Rect [-1.0 -68.75 14.75 -56.65] /Subtype /Link /Border [0 0 0] /Dest /89 /ANN pdfmark
(\240 Security ) S
(Considerations) S
0 -79.2 M
(\240\240\240\240) S
gsave
newpath
11 -80.3 M
22.0 0 RL
stroke
grestore
(16.1.) S
[/Rect [10.0 -81.95 34.0 -69.85] /Subtype /Link /Border [0 0 0] /Dest /91 /ANN pdfmark
(\240 Security ) S
(Properties) S
0 -92.4 M
(\240\240\240\240) S
gsave
newpath
11 -93.5 M
22.0 0 RL
stroke
grestore
(16.2.) S
[/Rect [10.0 -95.1499939 34.0 -83.0499954] /Subtype /Link /Border [0 0 0] /Dest /93 /ANN pdfmark
(\240 Denial-of-service Attacks to ) S
(Servers) S
0 -105.6 M
(\240\240\240\240) S
gsave
newpath
11 -106.7 M
22.0 0 RL
stroke
grestore
(16.3.) S
[/Rect [10.0 -108.349991 34.0 -96.2499924] /Subtype /Link /Border [0 0 0] /Dest /95 /ANN pdfmark
(\240 Implementation ) S
(Considerations) S
0 -118.8 M
(\240\240\240\240) S
gsave
newpath
11 -119.9 M
22.0 0 RL
stroke
grestore
(16.4.) S
[/Rect [10.0 -121.549988 34.0 -109.449989] /Subtype /Link /Border [0 0 0] /Dest /97 /ANN pdfmark
(\240 Usage ) S
(Considerations) S
0 -132 M
gsave
newpath
0 -133.1 M
13.75 0 RL
stroke
grestore
(17.) S
[/Rect [-1.0 -134.749985 14.75 -122.649986] /Subtype /Link /Border [0 0 0] /Dest /99 /ANN pdfmark
(\240 Notice on Intellectual ) S
(Properties) S
0 -145.2 M
gsave
newpath
0 -146.3 M
13.75 0 RL
stroke
grestore
(18.) S
[/Rect [-1.0 -147.949982 14.75 -135.849976] /Subtype /Link /Border [0 0 0] /Dest /103 /ANN pdfmark
(\240 ) S
(References) S
0 -158.4 M
(\240\240\240\240) S
gsave
newpath
11 -159.5 M
22.0 0 RL
stroke
grestore
(18.1.) S
[/Rect [10.0 -161.149979 34.0 -149.049973] /Subtype /Link /Border [0 0 0] /Dest /103 /ANN pdfmark
(\240 Normative ) S
(References) S
0 -171.6 M
(\240\240\240\240) S
gsave
newpath
11 -172.7 M
22.0 0 RL
stroke
grestore
(18.2.) S
[/Rect [10.0 -174.349976 34.0 -162.249969] /Subtype /Link /Border [0 0 0] /Dest /113 /ANN pdfmark
(\240 Informative ) S
(References) S
0 -184.8 M
gsave
newpath
0 -185.9 M
56.8203125 0 RL
stroke
grestore
(Appendix\240A.) S
[/Rect [-1.0 -187.549973 57.8203125 -175.449966] /Subtype /Link /Border [0 0 0] /Dest /130 /ANN pdfmark
(\240 \(Informative\) Draft Remarks from ) S
(Authors) S
0 -198 M
gsave
newpath
0 -199.1 M
56.2148438 0 RL
stroke
grestore
(Appendix\240B.) S
[/Rect [-1.0 -200.749969 57.2148438 -188.649963] /Subtype /Link /Border [0 0 0] /Dest /132 /ANN pdfmark
(\240 \(Informative\) Draft Change ) S
(Log) S
0 -211.2 M
(\240\240\240\240) S
gsave
newpath
11 -212.3 M
18.3359375 0 RL
stroke
grestore
(B.1.) S
[/Rect [10.0 -213.949966 30.3359375 -201.84996] /Subtype /Link /Border [0 0 0] /Dest /134 /ANN pdfmark
(\240 Changes in HttpBis Revision ) S
(00) S
0 -224.4 M
(\240\240\240\240) S
gsave
newpath
11 -225.5 M
18.3359375 0 RL
stroke
grestore
(B.2.) S
[/Rect [10.0 -227.149963 30.3359375 -215.049957] /Subtype /Link /Border [0 0 0] /Dest /136 /ANN pdfmark
(\240 Changes in Revision ) S
(12) S
0 -237.6 M
(\240\240\240\240) S
gsave
newpath
11 -238.7 M
18.3359375 0 RL
stroke
grestore
(B.3.) S
[/Rect [10.0 -240.34996 30.3359375 -228.249954] /Subtype /Link /Border [0 0 0] /Dest /138 /ANN pdfmark
(\240 Changes in Revision ) S
(11) S
0 -250.8 M
(\240\240\240\240) S
gsave
newpath
11 -251.9 M
18.3359375 0 RL
stroke
grestore
(B.4.) S
[/Rect [10.0 -253.549957 30.3359375 -241.449951] /Subtype /Link /Border [0 0 0] /Dest /140 /ANN pdfmark
(\240 Changes in Revision ) S
(10) S
0 -264 M
(\240\240\240\240) S
gsave
newpath
11 -265.1 M
18.3359375 0 RL
stroke
grestore
(B.5.) S
[/Rect [10.0 -266.749969 30.3359375 -254.649963] /Subtype /Link /Border [0 0 0] /Dest /142 /ANN pdfmark
(\240 Changes in Revision ) S
(09) S
0 -277.2 M
(\240\240\240\240) S
gsave
newpath
11 -278.3 M
18.3359375 0 RL
stroke
grestore
(B.6.) S
[/Rect [10.0 -279.949982 30.3359375 -267.849976] /Subtype /Link /Border [0 0 0] /Dest /144 /ANN pdfmark
(\240 Changes in Revision ) S
(08) S
0 -290.4 M
(\240\240\240\240) S
gsave
newpath
11 -291.5 M
18.3359375 0 RL
stroke
grestore
(B.7.) S
[/Rect [10.0 -293.15 30.3359375 -281.05] /Subtype /Link /Border [0 0 0] /Dest /146 /ANN pdfmark
(\240 Changes in Revision ) S
(07) S
0 -303.6 M
(\240\240\240\240) S
gsave
newpath
11 -304.7 M
18.3359375 0 RL
stroke
grestore
(B.8.) S
[/Rect [10.0 -306.35 30.3359375 -294.25] /Subtype /Link /Border [0 0 0] /Dest /148 /ANN pdfmark
(\240 Changes in Revision ) S
(06) S
0 -316.8 M
(\240\240\240\240) S
gsave
newpath
11 -317.9 M
18.3359375 0 RL
stroke
grestore
(B.9.) S
[/Rect [10.0 -319.550018 30.3359375 -307.45] /Subtype /Link /Border [0 0 0] /Dest /150 /ANN pdfmark
(\240 Changes in Revision ) S
(05) S
0 -330 M
(\240\240\240\240) S
gsave
newpath
11 -331.1 M
23.8359375 0 RL
stroke
grestore
(B.10.) S
[/Rect [10.0 -332.750031 35.8359375 -320.650024] /Subtype /Link /Border [0 0 0] /Dest /152 /ANN pdfmark
(\240 Changes in Revision ) S
(04) S
0 -343.2 M
(\240\240\240\240) S
gsave
newpath
11 -344.3 M
23.8359375 0 RL
stroke
grestore
(B.11.) S
[/Rect [10.0 -345.950043 35.8359375 -333.850037] /Subtype /Link /Border [0 0 0] /Dest /154 /ANN pdfmark
(\240 Changes in Revision ) S
(03) S
0 -356.4 M
(\240\240\240\240) S
gsave
newpath
11 -357.5 M
23.8359375 0 RL
stroke
grestore
(B.12.) S
[/Rect [10.0 -359.150055 35.8359375 -347.050049] /Subtype /Link /Border [0 0 0] /Dest /156 /ANN pdfmark
(\240 Changes in Revision ) S
(02) S
0 -369.6 M
(\240\240\240\240) S
gsave
newpath
11 -370.7 M
23.8359375 0 RL
stroke
grestore
(B.13.) S
[/Rect [10.0 -372.350067 35.8359375 -360.250061] /Subtype /Link /Border [0 0 0] /Dest /158 /ANN pdfmark
(\240 Changes in Revision ) S
(01) S
0 -382.8 M
gsave
newpath
0 -383.9 M
5.5 0 RL
stroke
grestore
(\247) S
[/Rect [-1.0 -385.550079 6.5 -373.450073] /Subtype /Link /Border [0 0 0] /Dest /160 /ANN pdfmark
(\240 Authors' ) S
(Addresses) S
0 -393.8 M
[/View [/XYZ -4 363.199921 null] /Dest /2 /DEST pdfmark
0 -393.8 M
[/View [/XYZ -4 363.199921 null] /Dest /3 /DEST pdfmark
0 -412.8 M
%%IncludeResource: font Times-Bold
15 2 Nf
(1.) S
[/View [/XYZ -4 362.199921 null] /Dest /166 /DEST pdfmark
( ) S
(Introduction) S
0 -437 M
11 0 Nf
0.901988626 0 32 0 0 (This document specifies a mutual authentication method for Hyper-Text Transport Protocol \(HTTP\).) A
0 -450.2 M
3.13020825 0 32 0 0 (The method, called "Mutual Authentication Protocol" in this document, provides a true mutual) A
0 -463.4 M
2.5744791 0 32 0 0 (authentication between an HTTP client and an HTTP server, using just a simple password as a) A
0 -476.6 M
(credential. ) S
0 -500.8 M
4.390625 0 32 0 0 (The currently available methods for authentication in HTTP and Web systems have several) A
0 -514 M
2.42936206 0 32 0 0 (deficiencies. The ) A
gsave
newpath
82.7 -515.1 M
97.0970078 0 RL
stroke
grestore
2.42936206 0 32 0 0 (Basic authentication ) A
gsave
newpath
179.8 -515.1 M
32.9921875 0 RL
stroke
grestore
2.42936206 0 32 0 0 (method) A
[/Rect [81.71875 -516.750122 213.800781 -504.650116] /Subtype /Link /Border [0 0 0] /Dest /121 /ANN pdfmark
2.42936206 0 32 0 0 ( [RFC2617] sends a plaintext password to a server) A
0 -527.2 M
5.24879789 0 32 0 0 (without any protection; the Digest method uses a hash function that suffers from simple) A
0 -540.4 M
(dictionary-based off-line attacks, and people have begun to think it is obsolete. ) S
0 -564.6 M
2.0703125 0 32 0 0 (The authentication method proposed in this document solves these problems, substitutes for these) A
0 -577.8 M
2.88867188 0 32 0 0 (existing methods, and serves as a long-term solution to Web authentication security. It has the) A
0 -591 M
(following main characteristics: ) S
11 -611.6 M
gsave
0 setgray
newpath
11.0 -611.57019 2.75 0 360 arc
closepath
fill
grestore
22 -615.2 M
0.244791672 0 32 0 0 (It provides "true" mutual authentication: in addition to assuring the server that the user knows the) A
22 -628.4 M
0.257324219 0 32 0 0 (password, it also assures the user that the server truly knows the user's encrypted password at the) A
22 -641.6 M
1.39375 0 32 0 0 (same time. This makes it impossible for fake website owners to persuade users that they have) A
22 -654.8 M
(authenticated with the original websites. ) S
11 -665.4 M
gsave
0 setgray
newpath
11.0 -665.370239 2.75 0 360 arc
closepath
fill
grestore
22 -669 M
0.953450501 0 32 0 0 (It uses only passwords as the user's credential: unlike public-key-based security algorithms, the) A
22 -669 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 3 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 4 4
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.600643396 0 32 0 0 (method does not rely on secret keys or other cryptographic data that have to be stored inside the) A
22 -26.4 M
11 0 Nf
2.08342624 0 32 0 0 (users' computers. The proposed method can be used as a drop-in replacement to the current) A
22 -39.6 M
(authentication methods like Basic or Digest, while ensuring a much stronger level of security. ) S
11 -50.2 M
gsave
0 setgray
newpath
11.0 -50.170002 2.75 0 360 arc
closepath
fill
grestore
22 -53.8 M
0.63671875 0 32 0 0 (It is secure: when the server fails to authenticate with a user, the protocol will not reveal any bit) A
22 -67 M
(of the user's ) S
(password.) S
0 -91.2 M
1.37447917 0 32 0 0 (Users can discriminate between true and fake Web servers using their own passwords by using the) A
0 -104.4 M
0.822395861 0 32 0 0 (proposed method. Even when a user inputs his/her password to a fake website owned by illegitimate) A
0 -117.6 M
0.0302083325 0 32 0 0 (phishers, the user will certainly notice that the authentication has failed. Phishers will not be successful) A
0 -130.8 M
1.67236328 0 32 0 0 (in their authentication attempts, even if they forward the received data from a user to a legitimate) A
0 -144 M
0.693014681 0 32 0 0 (server or vice versa. Users can input sensitive data to the web forms after confirming that the mutual) A
0 -157.2 M
(authentication has succeeded, without fear of phishing attacks. ) S
0 -181.4 M
2.42695308 0 32 0 0 (The document, along with ) A
gsave
newpath
127.9 -182.5 M
135.890625 0 RL
stroke
grestore
2.42695308 0 32 0 0 ([I-D.oiwa-http-auth-extension]) A
[/Rect [126.917969 -184.149979 264.808594 -172.049973] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
2.42695308 0 32 0 0 (, also proposes several extensions to the) A
0 -194.6 M
6.80902767 0 32 0 0 (current HTTP authentication framework, to replace current widely-used form-based Web) A
0 -207.8 M
(authentication. The extensions provided include: ) S
11 -228.4 M
gsave
0 setgray
newpath
11.0 -228.36998 2.75 0 360 arc
closepath
fill
grestore
22 -232 M
(Multi-host single authentication within an Internet domain ) S
(\() S
gsave
newpath
285.6 -233.1 M
41.2382812 0 RL
stroke
grestore
(Section\2405) S
[/Rect [284.59375 -234.749969 327.832031 -222.649963] /Subtype /Link /Border [0 0 0] /Dest /60 /ANN pdfmark
(\), ) S
11 -242.6 M
gsave
0 setgray
newpath
11.0 -242.569977 2.75 0 360 arc
closepath
fill
grestore
22 -246.2 M
(non-mandatory, optional authentication on HTTP ) S
(\() S
gsave
newpath
246.2 -247.3 M
41.2382812 0 RL
stroke
grestore
(Section\2408) S
[/Rect [245.199219 -248.949966 288.4375 -236.84996] /Subtype /Link /Border [0 0 0] /Dest /68 /ANN pdfmark
(\), ) S
11 -256.8 M
gsave
0 setgray
newpath
11.0 -256.769958 2.75 0 360 arc
closepath
fill
grestore
22 -260.4 M
(log out from both server and client side ) S
(\() S
gsave
newpath
201.6 -261.5 M
41.2382812 0 RL
stroke
grestore
(Section\2408) S
[/Rect [200.589844 -263.149963 243.828125 -251.049957] /Subtype /Link /Border [0 0 0] /Dest /68 /ANN pdfmark
(\), and ) S
11 -271 M
gsave
0 setgray
newpath
11.0 -270.969971 2.75 0 360 arc
closepath
fill
grestore
22 -274.6 M
(finer control for redirection depending on authentication status ) S
(\() S
gsave
newpath
304.2 -275.7 M
41.2382812 0 RL
stroke
grestore
(Section\2408) S
[/Rect [303.195312 -277.349976 346.433594 -265.249969] /Subtype /Link /Border [0 0 0] /Dest /68 /ANN pdfmark
(\).) S
0 -285.6 M
[/View [/XYZ -4 471.400024 null] /Dest /4 /DEST pdfmark
0 -285.6 M
[/View [/XYZ -4 471.400024 null] /Dest /5 /DEST pdfmark
0 -301.2 M
%%IncludeResource: font Times-Bold
13 2 Nf
(1.1.) S
[/View [/XYZ -4 471.400024 null] /Dest /167 /DEST pdfmark
( Relations to other ) S
(technologies) S
0 -307.7 M
[/View [/XYZ -4 449.300018 null] /Dest /6 /DEST pdfmark
0 -307.7 M
[/View [/XYZ -4 449.300018 null] /Dest /7 /DEST pdfmark
0 -327.2 M
13 2 Nf
(1.1.1.) S
[/View [/XYZ -4 445.400024 null] /Dest /168 /DEST pdfmark
( Technologies updated or superceded by this ) S
(proposal) S
0 -333.7 M
[/View [/XYZ -4 423.300018 null] /Dest /8 /DEST pdfmark
0 -333.7 M
[/View [/XYZ -4 423.300018 null] /Dest /9 /DEST pdfmark
0 -353.2 M
13 2 Nf
(1.1.1.1.) S
[/View [/XYZ -4 419.400024 null] /Dest /169 /DEST pdfmark
( HTTP Basic and Digest ) S
(authentication) S
0 -377.4 M
11 0 Nf
2.1031251 0 32 0 0 (The main purpose of this proposal is obviously providing an upgrade for the two existing HTTP) A
0 -390.6 M
(authentication methods, ) S
gsave
newpath
107.8 -391.7 M
45.8164062 0 RL
stroke
grestore
(Basic and ) S
gsave
newpath
153.6 -391.7 M
28.7109375 0 RL
stroke
grestore
(Digest) S
[/Rect [106.824219 -393.35 183.351562 -381.25] /Subtype /Link /Border [0 0 0] /Dest /121 /ANN pdfmark
( [RFC2617]. ) S
0 -414.8 M
2.20419025 0 32 0 0 (HTTP Basic authentication, as its name suggests, provides very simple authentication mechanism) A
0 -428 M
1.05305994 0 32 0 0 (using plain-text password directly upon the HTTP transport. HTTP Digest authentication focuses on) A
0 -441.2 M
2.19791675 0 32 0 0 (mitigating the fundamental weakness of Basic authentication by using MD5-based hashing to the) A
0 -454.4 M
0.7734375 0 32 0 0 (authentication, but that has almost failed to deploy due to improper implementations, interoperability) A
0 -467.6 M
2.734375 0 32 0 0 (problems, and missing feature implementations before MD5 has deprecated by its cryptographic) A
0 -480.8 M
7.11328125 0 32 0 0 (weakness. Digest also has a fundamental problem that the server-side must posses a) A
0 -494 M
(password-equivalent to perform authentication, which increases risks of server-side data leakage. ) S
0 -505 M
[/View [/XYZ -4 251.999908 null] /Dest /10 /DEST pdfmark
0 -505 M
[/View [/XYZ -4 251.999908 null] /Dest /11 /DEST pdfmark
0 -520.6 M
13 2 Nf
(1.1.1.2.) S
[/View [/XYZ -4 251.999908 null] /Dest /170 /DEST pdfmark
( HTML Form ) S
(authentication) S
0 -544.8 M
11 0 Nf
0.0924479142 0 32 0 0 (Another aim of this protocol is \(at least\) partially replacing the HTML form authentication. Because of) A
0 -558 M
1.05566406 0 32 0 0 (inflexibility of the HTTP Basic authentication, recent Web applications tend to use application-level) A
0 -571.2 M
2.122159 0 32 0 0 (implementations for user authentication using HTML Forms and Web browser rendering engines.) A
0 -584.4 M
4.28665876 0 32 0 0 (However, that method has many potential security weaknesses as same as the HTTP Basic) A
0 -597.6 M
0.533203125 0 32 0 0 (authentication as it uses plaintext. Considering server-impersonations and existence of human-forging) A
0 -610.8 M
0.318181813 0 32 0 0 (rogue servers \(i.e. phishing\), script-based implementations of hash-based authentication does not help,) A
0 -624 M
2.97025251 0 32 0 0 (because its behavior is completely controlled by the web-page content itself, which is possibly) A
0 -637.2 M
1.921875 0 32 0 0 (provided by such a rogue server. This also closes any possibilities for extending HTML forms to) A
0 -650.4 M
2.88834643 0 32 0 0 (implement cryptography, as its user-interface could not be prevented from being imitated using) A
0 -663.6 M
0.233593747 0 32 0 0 (plain-text forms. Using HTTP-level authentication is better in this field, because it is under the control) A
0 -663.6 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 4 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 5 5
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
5.99902344 0 32 0 0 (of the client software \(Web browsers\), which can enforce security checks regardless of) A
0 -26.4 M
11 0 Nf
(server-provided contents. ) S
0 -50.6 M
3.04241061 0 32 0 0 (Of course, we could not ignore the strong reasons of favoring Form authentication over Basic) A
0 -63.8 M
1.95987213 0 32 0 0 (authentication: its flexibility. HTTP authentication framework lacks many features for recent Web) A
0 -77 M
4.48681641 0 32 0 0 (applications, mainly for interactions between HTTP-level authentications and application-level) A
0 -90.2 M
5.19843769 0 32 0 0 (management of "authentication sessions". As long as current HTTP-layer \(and lower-layer\)) A
0 -103.4 M
1.1072917 0 32 0 0 (authentication are used, the new method would share the same problem. To solve this problem, this) A
0 -116.6 M
1.64160156 0 32 0 0 (protocol has a companion mechanism for application-level control of authentication behaviors as ) A
gsave
newpath
449.1 -117.7 M
4.8828125 0 RL
stroke
grestore
1.64160156 0 32 0 0 (a) A
[/Rect [448.105469 -119.349991 454.988281 -107.249992] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
0 -129.8 M
gsave
newpath
0 -130.9 M
39.9444427 0 RL
stroke
grestore
1.17100692 0 32 0 0 (separate ) A
gsave
newpath
39.9 -130.9 M
20.7578125 0 RL
stroke
grestore
1.17100692 0 32 0 0 (draft) A
[/Rect [-1.0 -132.549988 61.6992188 -120.449989] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
1.17100692 0 32 0 0 ( [I-D.oiwa-http-auth-extension]. By using this additional mechanism, Web applications) A
0 -143 M
1.74270833 0 32 0 0 (can implement most of these required features as easy as just calling an already-provided API for) A
0 -156.2 M
(them. ) S
0 -167.2 M
[/View [/XYZ -4 589.800049 null] /Dest /12 /DEST pdfmark
0 -167.2 M
[/View [/XYZ -4 589.800049 null] /Dest /13 /DEST pdfmark
0 -182.8 M
%%IncludeResource: font Times-Bold
13 2 Nf
(1.1.2.) S
[/View [/XYZ -4 589.800049 null] /Dest /171 /DEST pdfmark
( Technologies not updated by this ) S
(proposal) S
0 -189.3 M
[/View [/XYZ -4 567.7 null] /Dest /14 /DEST pdfmark
0 -189.3 M
[/View [/XYZ -4 567.7 null] /Dest /15 /DEST pdfmark
0 -208.8 M
13 2 Nf
(1.1.2.1.) S
[/View [/XYZ -4 563.800049 null] /Dest /172 /DEST pdfmark
( Federated identity/authorization ) S
(management) S
0 -233 M
11 0 Nf
10.7777777 0 32 0 0 (There are several technologies \(protocols, frameworks, or systems\) for managing) A
0 -246.2 M
5.59033203 0 32 0 0 (authentications/authorizations involving multiple-parties: some of those examples are ) A
gsave
newpath
424.1 -247.3 M
29.9375 0 RL
stroke
grestore
5.59033203 0 32 0 0 (OAuth) A
[/Rect [423.058594 -248.949982 454.996094 -236.849976] /Subtype /Link /Border [0 0 0] /Dest /114 /ANN pdfmark
0 -259.4 M
0.130859375 0 32 0 0 ([I-D.ietf-oauth-v2], ) A
gsave
newpath
88.4 -260.5 M
38.3066406 0 RL
stroke
grestore
0.130859375 0 32 0 0 (OpenID ) A
gsave
newpath
126.7 -260.5 M
36.65625 0 RL
stroke
grestore
0.130859375 0 32 0 0 (Connect) A
[/Rect [87.3710938 -262.15 164.332031 -250.049988] /Subtype /Link /Border [0 0 0] /Dest /120 /ANN pdfmark
0.130859375 0 32 0 0 ( [OIDF.Connect.Standard], ) A
gsave
newpath
286.1 -260.5 M
30.5507812 0 RL
stroke
grestore
0.130859375 0 32 0 0 (SAML) A
[/Rect [285.066406 -262.15 317.617188 -250.049988] /Subtype /Link /Border [0 0 0] /Dest /119 /ANN pdfmark
0.130859375 0 32 0 0 ( [OASIS.saml-core-2.0-os] etc.) A
0 -272.6 M
0.0654296875 0 32 0 0 (These technologies can be further divided to two categories: federated authentication and authorization) A
0 -285.8 M
(delegation, although some of these technologies cover both. ) S
0 -310 M
0.953125 0 32 0 0 (Federated authentication provides so-called "three-legged authentication": provided the result of user) A
0 -323.2 M
0.424665183 0 32 0 0 (authentication to a single entity \(identity provider\) and the user's consent, the mechanism can provide) A
0 -336.4 M
1.35096157 0 32 0 0 (other entities assertion of the user's identity without performing a separate identity management by) A
0 -349.6 M
0.296596 0 32 0 0 (every entity. Authorization delegation gives a mechanism for transferring a part of the user's privilege) A
0 -362.8 M
0.845833361 0 32 0 0 (on an entity \(resource owners\) to another entity without requiring users give away the full credential) A
0 -376 M
(for the authentication. ) S
0 -400.2 M
4.26100874 0 32 0 0 (Essentially, both of those technologies are transforming a result of conventional, one-by-one) A
0 -413.4 M
0.010516827 0 32 0 0 (\(two-legged\) authentication into a multi-party privilege management. The purpose of this protocol is to) A
0 -426.6 M
0.0280761719 0 32 0 0 (secure the very part of the two-legged authentication, and so it can be naturally combined with existing) A
0 -439.8 M
(federated management frameworks for increasing security of the entire system. ) S
0 -464 M
5.568892 0 32 0 0 (Additionally, this protocol can provide a secure peer-to-peer shared key generated during) A
0 -477.2 M
1.34825718 0 32 0 0 (authentication to the higher-layer applications ) A
gsave
newpath
211.7 -478.3 M
46.7382812 0 RL
stroke
grestore
1.34825718 0 32 0 0 (Section\24012) A
[/Rect [210.667969 -479.950165 259.40625 -467.850159] /Subtype /Link /Border [0 0 0] /Dest /81 /ANN pdfmark
1.34825718 0 32 0 0 (. These keys can be possibly used by such) A
0 -490.4 M
(federating mechanisms in future for simplifying/securing the framework. ) S
0 -501.4 M
[/View [/XYZ -4 255.599823 null] /Dest /16 /DEST pdfmark
0 -501.4 M
[/View [/XYZ -4 255.599823 null] /Dest /17 /DEST pdfmark
0 -517 M
13 2 Nf
(1.1.2.2.) S
[/View [/XYZ -4 255.599823 null] /Dest /173 /DEST pdfmark
( HTTPS and HTTPS client-certificate ) S
(authentication) S
0 -541.2 M
11 0 Nf
2.608073 0 32 0 0 (This protocol will not replace the wide-spread and widely-accepted technology of SSL/TLS and ) A
0 -554.4 M
gsave
newpath
0 -555.5 M
33.6054688 0 RL
stroke
grestore
0.7890625 0 32 0 0 (HTTPS) A
[/Rect [-1.0 -557.150208 34.6054688 -545.050232] /Subtype /Link /Border [0 0 0] /Dest /123 /ANN pdfmark
0.7890625 0 32 0 0 ( [RFC2818]. This protocol will be still relying on the HTTPS for the integrity and secrecy of) A
0 -567.6 M
3.34735584 0 32 0 0 (the HTTP payload. This protocol ensures users the integrity and secrecy of the authentication) A
0 -580.8 M
(credentials, and authenticity of the talking peer server. ) S
0 -605 M
2.76796865 0 32 0 0 (Client certificate \(and other public-key-based\) authentications have a fair-amount of applications) A
0 -618.2 M
1.79190338 0 32 0 0 (\(mainly for high-assurance applications\), and there are possible needs for redesigning/updating the) A
0 -631.4 M
0.0234375 0 32 0 0 (whole framework. However, currently public-key-based user-authentication and connection-based user) A
0 -644.6 M
(identification is out-of-scope of this proposal. ) S
0 -644.6 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 5 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 6 6
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /18 /DEST pdfmark
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /19 /DEST pdfmark
0 -15.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(1.1.2.3.) S
[/View [/XYZ -4 757.0 null] /Dest /174 /DEST pdfmark
( Protocols for local identity-management ) S
(frameworks) S
0 -39.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.435997605 0 32 0 0 (There are several existing frameworks for managing user identity of tightly-managed, closed group of) A
0 -53 M
0.783954322 0 32 0 0 (users, such as ) A
gsave
newpath
65.3 -54.1 M
40.3046875 0 RL
stroke
grestore
0.783954322 0 32 0 0 (Kerberos) A
[/Rect [64.2617188 -55.7500038 106.566406 -43.65] /Subtype /Link /Border [0 0 0] /Dest /124 /ANN pdfmark
0.783954322 0 32 0 0 ( ) A
0.783954322 0 32 0 0 ([RFC3961]/) A
gsave
newpath
162.3 -54.1 M
41.5429688 0 RL
stroke
grestore
0.783954322 0 32 0 0 (GSS-API) A
[/Rect [161.257812 -55.7500038 204.800781 -43.65] /Subtype /Link /Border [0 0 0] /Dest /122 /ANN pdfmark
0.783954322 0 32 0 0 ( [RFC2743] etc. Some of these have defined a bridging) A
0 -66.2 M
2.64152646 0 32 0 0 (protocol for HTTP authentication. This protocol does not currently aim to replace such existing) A
0 -79.4 M
(frameworks. ) S
0 -103.6 M
4.6264205 0 32 0 0 (More precisely, requirements for those framework and usual Web user authentication differ) A
0 -116.8 M
3.06730771 0 32 0 0 (fundamentally. In such framework, user authentication in performed first, and the result of the) A
0 -130 M
3.5357573 0 32 0 0 (authentication tends to be shared in all applications, sometimes even shared regardless of the) A
0 -143.2 M
0.957490802 0 32 0 0 (underlying protocols. In those systems, it is almost never likely to use a multiple identity to be used) A
0 -156.4 M
2.45239258 0 32 0 0 (inside a single server and inside a single client machine at the same time. In such applications,) A
0 -169.6 M
0.579687476 0 32 0 0 (connection-based or even a machine-based authentication can be used without a trouble. This is not a) A
0 -182.8 M
(case for the general Web authentication applications. ) S
0 -193.8 M
[/View [/XYZ -4 563.2 null] /Dest /20 /DEST pdfmark
0 -193.8 M
[/View [/XYZ -4 563.2 null] /Dest /21 /DEST pdfmark
0 -209.4 M
13 2 Nf
(1.1.2.4.) S
[/View [/XYZ -4 563.2 null] /Dest /175 /DEST pdfmark
( HTTP and HTTP authentication ) S
(architecture) S
0 -233.6 M
11 0 Nf
2.70987225 0 32 0 0 (Although HTTP and generic HTTP authentication architecture lacks some required features \(see) A
0 -246.8 M
0.73046875 0 32 0 0 (above\), the whole structure of per-request, per-resource authentication is well-suited for general Web) A
0 -260 M
7.66210938 0 32 0 0 (applications compared with connection-based or machine-based authentication/authorization) A
0 -273.2 M
1.29799104 0 32 0 0 (framework \(those which tie user identity to either connections or machines\). The whole protocol in) A
0 -286.4 M
0.0348557681 0 32 0 0 (this specification is designed on top of the framework of ) A
gsave
newpath
251.4 -287.5 M
110.84375 0 RL
stroke
grestore
0.0348557681 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [250.371094 -289.150024 363.214844 -277.050018] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
0.0348557681 0 32 0 0 (. Small extensions to) A
0 -299.6 M
0.710582376 0 32 0 0 (the framework in this specification and ) A
gsave
newpath
178.9 -300.7 M
135.890625 0 RL
stroke
grestore
0.710582376 0 32 0 0 ([I-D.oiwa-http-auth-extension]) A
[/Rect [177.933594 -302.350037 315.824219 -290.250031] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
0.710582376 0 32 0 0 (, which are designed for filling) A
0 -312.8 M
0.143310547 0 32 0 0 (the missing features, are carefully designed so that it can be implemented easily only by the client-side) A
0 -326 M
(without changing the whole framework. ) S
0 -337 M
[/View [/XYZ -4 419.999939 null] /Dest /22 /DEST pdfmark
0 -337 M
[/View [/XYZ -4 419.999939 null] /Dest /23 /DEST pdfmark
0 -352.6 M
13 2 Nf
(1.2.) S
[/View [/XYZ -4 419.999939 null] /Dest /176 /DEST pdfmark
( ) S
(Terminology) S
0 -376.8 M
11 0 Nf
2.37011719 0 32 0 0 (The key words "MUST", "MUST\240NOT", "REQUIRED", "SHALL", "SHALL\240NOT", "SHOULD",) A
0 -390 M
1.49739587 0 32 0 0 ("SHOULD\240NOT", "RECOMMENDED", "NOT\240RECOMMENDED", "MAY", and "OPTIONAL" in) A
0 -403.2 M
(this document are to be interpreted as described in ) S
gsave
newpath
223.9 -404.3 M
50.1054688 0 RL
stroke
grestore
([RFC2119]) S
[/Rect [222.863281 -405.950104 274.96875 -393.850098] /Subtype /Link /Border [0 0 0] /Dest /107 /ANN pdfmark
(.) S
0 -427.4 M
6.61002588 0 32 0 0 (The terms "encouraged" and "advised" are used for suggestions that do not constitute) A
0 -440.6 M
3.4172585 0 32 0 0 ("SHOULD"-level requirements. People MAY freely choose not to include the suggested items) A
0 -453.8 M
0.508091509 0 32 0 0 (regarding ) A
gsave
newpath
45.4 -454.9 M
50.1054688 0 RL
stroke
grestore
0.508091509 0 32 0 0 ([RFC2119]) A
[/Rect [44.3984375 -456.55014 96.5039062 -444.450134] /Subtype /Link /Border [0 0 0] /Dest /107 /ANN pdfmark
0.508091509 0 32 0 0 (, but complying with those suggestions would be a best practice; it will improve) A
0 -467 M
(security, interoperability, and/or operational ) S
(performance.) S
0 -491.2 M
0.310302734 0 32 0 0 (This document distinguishes the terms "client" and "user" in the following way: A "client" is an entity) A
0 -504.4 M
0.23401989 0 32 0 0 (understanding and talking HTTP and the specified authentication protocol, usually computer software;) A
0 -517.6 M
(a "user" is a \(usually natural\) person who wants to access data resources using "a ) S
(client".) S
0 -541.8 M
2.9309895 0 32 0 0 (The term "natural numbers" refers to the non-negative integers \(including zero\) throughout this ) A
0 -555 M
(document.) S
0 -579.2 M
3.25270438 0 32 0 0 (This document treats target \(codomain\) of hash functions to be natural numbers. The notation) A
0 -592.4 M
(OCTETS\(H\(s\)\) gives a usual octet-string output of hash function H applied to string ) S
(s.) S
0 -603.4 M
[/View [/XYZ -4 153.599792 null] /Dest /24 /DEST pdfmark
0 -603.4 M
[/View [/XYZ -4 153.599792 null] /Dest /25 /DEST pdfmark
0 -603.4 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 6 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 7 7
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -15.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(1.3.) S
[/View [/XYZ -4 757.0 null] /Dest /177 /DEST pdfmark
( Document Structure and Related ) S
(Documents) S
0 -39.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The entire document is organized as follows: ) S
11 -60.4 M
gsave
0 setgray
newpath
11.0 -60.3700027 2.75 0 360 arc
closepath
fill
grestore
22 -64 M
gsave
newpath
22 -65.1 M
41.2382812 0 RL
stroke
grestore
(Section\2402) S
[/Rect [21.0 -66.75 64.2382812 -54.65] /Subtype /Link /Border [0 0 0] /Dest /26 /ANN pdfmark
( presents an overview of the protocol design. ) S
11 -74.6 M
gsave
0 setgray
newpath
11.0 -74.57 2.75 0 360 arc
closepath
fill
grestore
22 -78.2 M
3.48737979 0 32 0 0 (Sections ) A
gsave
newpath
65.5 -79.3 M
5.5 0 RL
stroke
grestore
3.48737979 0 32 0 0 (3) A
[/Rect [64.5 -80.95 72.0 -68.85] /Subtype /Link /Border [0 0 0] /Dest /36 /ANN pdfmark
3.48737979 0 32 0 0 ( to ) A
gsave
newpath
92 -79.3 M
11.0 0 RL
stroke
grestore
3.48737979 0 32 0 0 (10) A
[/Rect [91.0234375 -80.95 104.023438 -68.85] /Subtype /Link /Border [0 0 0] /Dest /73 /ANN pdfmark
3.48737979 0 32 0 0 ( define a general framework of the Mutual authentication protocol. This) A
22 -91.4 M
(framework is independent of specific cryptographic primitives. ) S
11 -102 M
gsave
0 setgray
newpath
11.0 -101.969994 2.75 0 360 arc
closepath
fill
grestore
22 -105.6 M
gsave
newpath
22 -106.7 M
46.7382812 0 RL
stroke
grestore
2.85351562 0 32 0 0 (Section\24011) A
[/Rect [21.0 -108.349991 69.7382812 -96.2499924] /Subtype /Link /Border [0 0 0] /Dest /75 /ANN pdfmark
2.85351562 0 32 0 0 ( describes properties needed for cryptographic algorithms used with this protocol) A
22 -118.8 M
3.65201831 0 32 0 0 (framework, and defines a few functions which will be shared among such cryptographic) A
22 -132 M
(algorithms. ) S
11 -142.6 M
gsave
0 setgray
newpath
11.0 -142.569992 2.75 0 360 arc
closepath
fill
grestore
22 -146.2 M
(The sections after that contain general normative and informative information about the protocol. ) S
11 -156.8 M
gsave
0 setgray
newpath
11.0 -156.769989 2.75 0 360 arc
closepath
fill
grestore
22 -160.4 M
(The appendices contain some information that may help developers to implement the ) S
(protocol.) S
0 -184.6 M
(In addition, there are two companion documents which are referred from/related to this specification: ) S
11 -205.2 M
gsave
0 setgray
newpath
11.0 -205.169983 2.75 0 360 arc
closepath
fill
grestore
22 -208.8 M
gsave
newpath
22 -209.9 M
143.222656 0 RL
stroke
grestore
0.778515637 0 32 0 0 ([I-D.oiwa-http-mutualauth-algo]) A
[/Rect [21.0 -211.549973 166.222656 -199.449966] /Subtype /Link /Border [0 0 0] /Dest /116 /ANN pdfmark
0.778515637 0 32 0 0 (: defines a cryptographic primitives which can be used with this) A
22 -222 M
0.678222656 0 32 0 0 (protocol framework. [draft note: it is separated so that it may be replaced with another crypto in) A
22 -235.2 M
(future. We need at least one example for testing/implementing this protocol, so here it is.] ) S
11 -245.8 M
gsave
0 setgray
newpath
11.0 -245.769974 2.75 0 360 arc
closepath
fill
grestore
22 -249.4 M
gsave
newpath
22 -250.5 M
135.890625 0 RL
stroke
grestore
3.71054697 0 32 0 0 ([I-D.oiwa-http-auth-extension]) A
[/Rect [21.0 -252.149963 158.890625 -240.049957] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
3.71054697 0 32 0 0 (: defines a small but useful extensions to the current HTTP) A
22 -262.6 M
2.5951705 0 32 0 0 (authentication framework so that it can support application-level semantics of existing Web ) A
22 -275.8 M
(systems.) S
0 -286.8 M
[/View [/XYZ -4 470.2 null] /Dest /26 /DEST pdfmark
0 -286.8 M
[/View [/XYZ -4 470.2 null] /Dest /27 /DEST pdfmark
0 -305.8 M
15 2 Nf
(2.) S
[/View [/XYZ -4 469.2 null] /Dest /178 /DEST pdfmark
( Protocol ) S
(Overview) S
0 -330 M
11 0 Nf
6.85909605 0 32 0 0 (The protocol, as a whole, is designed as a natural extension to the ) A
gsave
newpath
380.2 -331.1 M
37.101284 0 RL
stroke
grestore
6.85909605 0 32 0 0 (HTTP ) A
gsave
newpath
417.3 -331.1 M
36.6523438 0 RL
stroke
grestore
6.85909605 0 32 0 0 (protocol) A
[/Rect [379.199219 -332.75 454.949219 -320.65] /Subtype /Link /Border [0 0 0] /Dest /104 /ANN pdfmark
0 -343.2 M
0.330078125 0 32 0 0 ([I-D.ietf-httpbis-p1-messaging] using a framework defined in ) A
gsave
newpath
275.3 -344.3 M
110.84375 0 RL
stroke
grestore
0.330078125 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [274.296875 -345.95 387.140625 -333.85] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
0.330078125 0 32 0 0 (. Internally, the) A
0 -356.4 M
0.908691406 0 32 0 0 (server and the client will first perform a cryptographic key exchange, using the secret password as a) A
0 -369.6 M
0.269775391 0 32 0 0 ("tweak" to the exchange. The key-exchange will only succeed when the secrets used by the both peers) A
0 -382.8 M
3.06891751 0 32 0 0 (are correctly related \(i.e. generated from the same password\). Then, both peers will verify the) A
0 -396 M
0.948939741 0 32 0 0 (authentication results by confirming the sharing of the exchanged key. This section describes a brief) A
0 -409.2 M
(image of the protocol and the exchanged messages. ) S
0 -420.2 M
[/View [/XYZ -4 336.799927 null] /Dest /28 /DEST pdfmark
0 -420.2 M
[/View [/XYZ -4 336.799927 null] /Dest /29 /DEST pdfmark
0 -435.8 M
13 2 Nf
(2.1.) S
[/View [/XYZ -4 336.799927 null] /Dest /179 /DEST pdfmark
( Messages ) S
(Overview) S
0 -460 M
11 0 Nf
1.71647131 0 32 0 0 (The authentication protocol uses seven kinds of messages to perform mutual authentication. These) A
0 -473.2 M
(messages have specific names within this specification. ) S
11 -493.8 M
gsave
0 setgray
newpath
11.0 -493.770111 2.75 0 360 arc
closepath
fill
grestore
22 -497.4 M
4.54166651 0 32 0 0 (Authentication request messages: used by the servers to request clients to start mutual) A
22 -510.6 M
(authentication. ) S
33 -521.2 M
gsave
0 setgray
newpath
33.0 -521.170105 2.75 0 360 arc
closepath
stroke
grestore
44 -524.8 M
0.213281244 0 32 0 0 (401-INIT message: a general message to start the authentication protocol. It is also used as a) A
44 -538 M
(message indicating an authentication failure. ) S
33 -548.6 M
gsave
0 setgray
newpath
33.0 -548.570129 2.75 0 360 arc
closepath
stroke
grestore
44 -552.2 M
4.9625 0 32 0 0 (200-Optional-INIT message: a variant of the 401-INIT message indicating that an) A
44 -565.4 M
(authentication is not mandatory. ) S
33 -576 M
gsave
0 setgray
newpath
33.0 -575.970154 2.75 0 360 arc
closepath
stroke
grestore
44 -579.6 M
(401-STALE message: a message indicating that it has to start a new authentication ) S
(trial.) S
11 -590.2 M
gsave
0 setgray
newpath
11.0 -590.170166 2.75 0 360 arc
closepath
fill
grestore
22 -593.8 M
2.14908862 0 32 0 0 (Authenticated key exchange messages: used by both peers to perform authentication and the) A
22 -607 M
(sharing of a cryptographic secret. ) S
33 -617.6 M
gsave
0 setgray
newpath
33.0 -617.57019 2.75 0 360 arc
closepath
stroke
grestore
44 -621.2 M
(req-KEX-C1 message: a message sent from the client. ) S
33 -631.8 M
gsave
0 setgray
newpath
33.0 -631.770203 2.75 0 360 arc
closepath
stroke
grestore
44 -635.4 M
2.43149042 0 32 0 0 (401-KEX-S1 message: a message sent from the server as a response to a req-KEX-C1 ) A
44 -648.6 M
(message.) S
11 -659.2 M
gsave
0 setgray
newpath
11.0 -659.170227 2.75 0 360 arc
closepath
fill
grestore
22 -662.8 M
(Authentication verification messages: used by both peers to verify the authentication results. ) S
44 -663.8 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 7 -) S
0 setgray
88 -8 M
grestore
pgsave restore N
%%Page: 8 8
%%PageResources: font Times-Roman Times-Bold Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
33 -9.6 M
gsave
0 setgray
newpath
33.0 -9.57000065 2.75 0 360 arc
closepath
stroke
grestore
44 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.00488281 0 32 0 0 (req-VFY-C message: a message used by the client, requesting that the server authenticates) A
44 -26.4 M
11 0 Nf
(and authorizes the client. ) S
33 -37 M
gsave
0 setgray
newpath
33.0 -36.97 2.75 0 360 arc
closepath
stroke
grestore
44 -40.6 M
1.27854562 0 32 0 0 (200-VFY-S message: a successful response used by the server, and also asserting that the) A
44 -53.8 M
(server is authentic to the client ) S
(simultaneously.) S
0 -78 M
1.87706804 0 32 0 0 (In addition to the above, either a request or a response without any HTTP headers related to this) A
0 -91.2 M
(specification will be hereafter called a "normal request" or a "normal response", respectively. ) S
0 -102.2 M
[/View [/XYZ -4 654.8 null] /Dest /30 /DEST pdfmark
0 -102.2 M
[/View [/XYZ -4 654.8 null] /Dest /31 /DEST pdfmark
0 -117.8 M
%%IncludeResource: font Times-Bold
13 2 Nf
(2.2.) S
[/View [/XYZ -4 654.8 null] /Dest /180 /DEST pdfmark
( Typical Flows of the ) S
(Protocol) S
0 -142 M
11 0 Nf
0.602294922 0 32 0 0 (In typical cases, the client access to a resource protected by the Mutual authentication will follow the) A
0 -155.2 M
(following protocol ) S
(sequence.) S
0 -166.2 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -177.2 M
[/View [/XYZ -4 579.800049 null] /Dest /32 /DEST pdfmark
0 -188 M
%%IncludeResource: font Courier
9.0 4 Nf
( Client Server) S
0 -198.8 M
( | |) S
0 -209.6 M
( | ---- \(1\) normal request ---------> |) S
0 -220.4 M
( GET / HTTP/1.1 |) S
0 -231.2 M
( | |) S
0 -242 M
( | <---------------- \(2\) 401-INIT --- |) S
0 -252.8 M
( | 401 Authentication Required) S
0 -263.6 M
( | WWW-Authenticate: Mutual realm="a realm") S
0 -274.4 M
( | |) S
0 -285.2 M
([user, | |) S
0 -296 M
( pass]-->| |) S
0 -306.8 M
( | ---- \(3\) req-KEX-C1 -------------> |) S
0 -317.6 M
( GET / HTTP/1.1 |) S
0 -328.4 M
( Authorization: Mutual user="john", |--> [user DB]) S
0 -339.2 M
( kc1="...", ... |<-- [user info]) S
0 -350 M
( | |) S
0 -360.8 M
( | <-------------- \(4\) 401-KEX-S1 --- |) S
0 -371.6 M
( | 401 Authentication Required) S
0 -382.4 M
( | WWW-Authenticate: Mutual sid=..., ks1="...", ...) S
0 -393.2 M
( | |) S
0 -404 M
( [compute] \(5\) compute session secret [compute]) S
0 -414.8 M
( | |) S
0 -425.6 M
( | |) S
0 -436.4 M
( | ---- \(6\) req-VFY-C --------------> |) S
0 -447.2 M
( GET / HTTP/1.1 |--> [verify \(6\)]) S
0 -458 M
( Authorization: Mutual sid=..., |<-- OK) S
0 -468.8 M
( vkc="...", ... |) S
0 -479.6 M
( | |) S
0 -490.4 M
( | <--------------- \(7\) 200-VFY-S --- |) S
0 -501.2 M
([verify | 200 OK |) S
0 -512 M
( \(7\)]<--| Authentication-Info: Mutual vks="...") S
0 -522.8 M
( | |) S
0 -533.6 M
( v v) S
119.2 -556.5 M
7.63889 2 Nf
(\240Figure\2401: Typical communication flow for first access to ) S
(resource\240) S
0 -570.4 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
11 -591 M
gsave
0 setgray
newpath
11.0 -591.018311 2.75 0 360 arc
closepath
fill
grestore
22 -594.6 M
11 0 Nf
1.02026367 0 32 0 0 (As usual in general HTTP protocol designs, a client will at first request a resource without any) A
22 -607.8 M
0.176682696 0 32 0 0 (authentication attempt \(1\). If the requested resource is protected by the Mutual authentication, the) A
22 -621 M
(server will respond with a message requesting authentication \(401-INIT\) \(2\). ) S
11 -631.6 M
gsave
0 setgray
newpath
11.0 -631.618347 2.75 0 360 arc
closepath
fill
grestore
22 -635.2 M
0.360814154 0 32 0 0 (The client processes the body of the message, and waits for the user to input the user name and a) A
22 -648.4 M
0.0629595593 0 32 0 0 (password. If the user name and the password are available, the client will send a message with the) A
22 -661.6 M
(authenticated key exchange \(req-KEX-C1\) to start the authentication \(3\). ) S
22 -662.6 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 8 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 9 9
%%PageResources: font Times-Roman Times-Bold Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -9.6 M
gsave
0 setgray
newpath
11.0 -9.57000065 2.75 0 360 arc
closepath
fill
grestore
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.08203125 0 32 0 0 (If the server has received a req-KEX-C1 message, the server looks up the user's authentication) A
22 -13.2 M
0.968202829 0.968202829 scale
0.0 -13.2 RM
11 0 Nf
(information within its user database. Then the server creates a new session identifier \(sid\) that will be) S
1.03284144 1.03284144 scale
22 -26 M
0.99743855 0.99743855 scale
0.0 -13.2 RM
(used to identify sets of the messages that follow it, and responds back with a message containing a) S
1.00256801 1.00256801 scale
22 -52.3 M
(server-side authenticated key exchange value \(401-KEX-S1\) \(4\). ) S
11 -62.9 M
gsave
0 setgray
newpath
11.0 -62.9164696 2.75 0 360 arc
closepath
fill
grestore
22 -66.5 M
0.421630859 0 32 0 0 (At this point \(5\), both peers calculate a shared "session secret" using the exchanged values in the) A
22 -79.7 M
1.29827011 0 32 0 0 (key exchange messages. Only when both the server and the client have used secret credentials) A
22 -79.7 M
0.997528613 0.997528613 scale
0.0 -13.2 RM
(generated from the same password will the session secret values match. This session secret will be) S
1.00247753 1.00247753 scale
22 -106.1 M
(used for the actual access authentication after this point. ) S
11 -116.7 M
gsave
0 setgray
newpath
11.0 -116.683861 2.75 0 360 arc
closepath
fill
grestore
22 -120.3 M
0.013521635 0 32 0 0 (The client will send a request with a client-side authentication verification value \(req-VFY-C\) \(6\),) A
22 -120.3 M
0.980312526 0.980312526 scale
0.0 -13.2 RM
(generated from the client-owned session secret. The server will check the validity of the verification) S
1.02008283 1.02008283 scale
22 -146.5 M
(value using its own session secret. ) S
11 -157 M
gsave
0 setgray
newpath
11.0 -157.023987 2.75 0 360 arc
closepath
fill
grestore
22 -160.7 M
2.69614959 0 32 0 0 (If the authentication verification value from the client was correct, it means that the client) A
22 -173.9 M
2.45572925 0 32 0 0 (definitely owns the credential based on the expected password \(i.e. the client authentication) A
22 -173.9 M
0.955752254 0.955752254 scale
0.0 -13.2 RM
(succeeded.\) The server will respond with a successful message \(200-VFY-S\) \(7\). Contrary to the usual) S
1.04629624 1.04629624 scale
22 -186.5 M
0.974087059 0.974087059 scale
0.0 -13.2 RM
(one-way authentication \(e.g. HTTP Basic authentication or POP APOP authentication\), this message) S
1.02660227 1.02660227 scale
22 -212.5 M
(also contains a server-side authentication verification value. ) S
22 -225.7 M
1.8483665 0 32 0 0 (When the client's verification value is incorrect \(e.g.\240because the user-supplied password was) A
22 -225.7 M
0.986442089 0.986442089 scale
0.0 -13.2 RM
(incorrect\), the server will respond with the 401-INIT message \(the same one as used in \(2\)\) instead. ) S
1.01374424 1.01374424 scale
11 -249.3 M
gsave
0 setgray
newpath
11.0 -249.318909 2.75 0 360 arc
closepath
fill
grestore
22 -252.9 M
2.40625 0 32 0 0 (The client MUST first check the validity of the server-side authentication verification value) A
22 -266.1 M
0.162841797 0 32 0 0 (contained in the message \(7\). If the value was equal to the expected one, the server authentication) A
22 -279.3 M
(succeeded. ) S
22 -292.5 M
0.90625 0 32 0 0 (If it is not the value expected, or if the message does not contain the authentication verification) A
22 -292.5 M
0.96025 0.96025 scale
0.0 -13.2 RM
(value, it means that the mutual authentication has been broken for some unexpected reason. The client) S
1.04139543 1.04139543 scale
22 -305.2 M
0.996737421 0.996737421 scale
0.0 -13.2 RM
(MUST\240NOT process any body or header values contained in this case. \(Note: This case should not) S
1.00327325 1.00327325 scale
22 -331.6 M
(happen between a correctly-implemented server and a client.\) ) S
0 -342.6 M
[/View [/XYZ -4 414.418854 null] /Dest /33 /DEST pdfmark
0 -342.6 M
[/View [/XYZ -4 414.418854 null] /Dest /34 /DEST pdfmark
0 -358.2 M
%%IncludeResource: font Times-Bold
13 2 Nf
(2.3.) S
[/View [/XYZ -4 414.418854 null] /Dest /181 /DEST pdfmark
( Alternative ) S
(Flows) S
0 -382.4 M
11 0 Nf
0.0571986623 0 32 0 0 (As shown above, the typical flow for a first authenticated request requires three request-response pairs.) A
0 -395.6 M
1.75330532 0 32 0 0 (To reduce the protocol overhead, the protocol enables several short-cut flows which require fewer ) A
0 -408.8 M
(messages.) S
11 -429.4 M
gsave
0 setgray
newpath
11.0 -429.351196 2.75 0 360 arc
closepath
fill
grestore
22 -433 M
1.51855469 0 32 0 0 (\(case A\) If the client knows that the resource is likely to require the authentication, the client) A
22 -446.2 M
4.54199219 0 32 0 0 (MAY omit the first unauthenticated request \(1\) and immediately send a key exchange) A
22 -459.4 M
(\(req-KEX-C1 message\). This will reduce one round-trip of messages. ) S
11 -470 M
gsave
0 setgray
newpath
11.0 -469.951233 2.75 0 360 arc
closepath
fill
grestore
22 -473.6 M
0.099724263 0 32 0 0 (\(case B\) If both the client and the server previously shared a session secret associated with a valid) A
22 -486.8 M
1.46664667 0 32 0 0 (session identifier \(sid\), the client MAY directly send a req-VFY-C message using the existing) A
22 -500 M
1.87076819 0 32 0 0 (session identifier and corresponding session secret. This will further reduce one round-trip of) A
22 -513.2 M
(messages. ) S
22 -526.4 M
0.028645834 0 32 0 0 (In such cases, the server MAY have thrown out the corresponding sessions from the session table.) A
22 -539.6 M
0.558854163 0 32 0 0 (In this case, the server will respond with a 401-STALE message, indicating a new key exchange) A
22 -552.8 M
(is required. The client SHOULD retry constructing a req-KEX-C1 message in this case. ) S
0 -577 M
gsave
newpath
0 -578.1 M
36.9609375 0 RL
stroke
grestore
6.4268465 0 32 0 0 (Figure\2402) A
[/Rect [-1.0 -579.731323 37.9609375 -567.631348] /Subtype /Link /Border [0 0 0] /Dest /35 /ANN pdfmark
6.4268465 0 32 0 0 ( depicts the shortcut flows described above. Under the appropriate settings and) A
0 -590.2 M
0.0473632812 0 32 0 0 (implementations, most of the requests to resources are expected to meet both the criteria, and thus only) A
0 -603.4 M
(one round-trip of request/responses will be required in most cases. ) S
0 -614.4 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -625.4 M
[/View [/XYZ -4 131.618652 null] /Dest /35 /DEST pdfmark
0 -636.2 M
%%IncludeResource: font Courier
9.0 4 Nf
( \(A\) omit first request) S
0 -647 M
( \(2 round trips\)) S
0 -668.6 M
( Client Server) S
0 -668.6 M
gsave
0 setgray
219.9 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 9 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 10 10
%%PageResources: font Times-Roman Times-Bold Courier Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -10.8 M
%%IncludeResource: font Courier
9.0 4 Nf
( | |) S
0 -21.6 M
9.0 4 Nf
( | --- req-KEX-C1 ----> |) S
0 -32.4 M
( | |) S
0 -43.2 M
( | <---- 401-KEX-S1 --- |) S
0 -54 M
( | |) S
0 -64.8 M
( | ---- req-VFY-C ----> |) S
0 -75.6 M
( | |) S
0 -86.4 M
( | <----- 200-VFY-S --- |) S
0 -97.2 M
( | |) S
0 -129.6 M
( \(B\) reusing session secret) S
0 -151.2 M
( \(B-1\) key available \(B-2\) key expired) S
0 -162 M
( \(1 round trip\) \(3 round trips\)) S
0 -183.6 M
( Client Server Client Server) S
0 -194.4 M
( | | | |) S
0 -205.2 M
( | ---- req-VFY-C ----> | | --- req-VFY-C -------> |) S
0 -216 M
( | | | |) S
0 -226.8 M
( | <----- 200-VFY-S --- | | <------- 401-STALE --- |) S
0 -237.6 M
( | | | |) S
0 -248.4 M
( | --- req-KEX-C1 ------> |) S
0 -259.2 M
( | |) S
0 -270 M
( | <------ 401-KEX-S1 --- |) S
0 -280.8 M
( | |) S
0 -291.6 M
( | --- req-VFY-C -------> |) S
0 -302.4 M
( | |) S
0 -313.2 M
( | <------- 200-VFY-S --- |) S
0 -324 M
( | |) S
149.6 -346.9 M
%%IncludeResource: font Times-Bold
7.63889 2 Nf
(\240Figure\2402: Several alternative flows on ) S
(protocol\240) S
0 -360.8 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -385 M
%%IncludeResource: font Times-Roman
11 0 Nf
(For more details, see Sections ) S
gsave
newpath
134.4 -386.1 M
5.5 0 RL
stroke
grestore
(9) S
[/Rect [133.386719 -387.798584 140.886719 -375.698578] /Subtype /Link /Border [0 0 0] /Dest /70 /ANN pdfmark
( and ) S
gsave
newpath
161.3 -386.1 M
11.0 0 RL
stroke
grestore
(10) S
[/Rect [160.269531 -387.798584 173.269531 -375.698578] /Subtype /Link /Border [0 0 0] /Dest /73 /ANN pdfmark
(. ) S
0 -396 M
[/View [/XYZ -4 360.951416 null] /Dest /36 /DEST pdfmark
0 -396 M
[/View [/XYZ -4 360.951416 null] /Dest /37 /DEST pdfmark
0 -415 M
15 2 Nf
(3.) S
[/View [/XYZ -4 359.951416 null] /Dest /182 /DEST pdfmark
( Message ) S
(Syntax) S
0 -439.2 M
11 0 Nf
0.806490362 0 32 0 0 (Throughout this specification, The syntax is denoted in the extended augmented BNF syntax defined) A
0 -452.4 M
5.54730892 0 32 0 0 (in ) A
gsave
newpath
16.9 -453.5 M
138.335938 0 RL
stroke
grestore
5.54730892 0 32 0 0 ([I-D.ietf-httpbis-p1-messaging]) A
[/Rect [15.8515625 -455.198608 156.1875 -443.098602] /Subtype /Link /Border [0 0 0] /Dest /104 /ANN pdfmark
5.54730892 0 32 0 0 ( and ) A
gsave
newpath
187.7 -453.5 M
50.1054688 0 RL
stroke
grestore
5.54730892 0 32 0 0 ([RFC5234]) A
[/Rect [186.664062 -455.198608 238.769531 -443.098602] /Subtype /Link /Border [0 0 0] /Dest /111 /ANN pdfmark
5.54730892 0 32 0 0 (. The following elements are quoted from ) A
0 -465.6 M
gsave
newpath
0 -466.7 M
50.1054688 0 RL
stroke
grestore
4.91210938 0 32 0 0 ([RFC5234]) A
[/Rect [-1.0 -468.398621 51.1054688 -456.298615] /Subtype /Link /Border [0 0 0] /Dest /111 /ANN pdfmark
4.91210938 0 32 0 0 (, ) A
gsave
newpath
60.5 -466.7 M
138.335938 0 RL
stroke
grestore
4.91210938 0 32 0 0 ([I-D.ietf-httpbis-p1-messaging]) A
[/Rect [59.515625 -468.398621 199.851562 -456.298615] /Subtype /Link /Border [0 0 0] /Dest /104 /ANN pdfmark
4.91210938 0 32 0 0 ( and ) A
gsave
newpath
230.1 -466.7 M
110.84375 0 RL
stroke
grestore
4.91210938 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [229.054688 -468.398621 341.898438 -456.298615] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
4.91210938 0 32 0 0 (: DIGIT, ALPHA, SP,) A
0 -478.8 M
(auth-scheme, quoted-string, auth-param, header-field, token, challenge, and ) S
(credential.) S
0 -503 M
0.708451688 0 32 0 0 (The Mutual authentication protocol uses three headers: WWW-Authenticate \(in responses with status) A
0 -516.2 M
1.15722656 0 32 0 0 (code 401\), Authorization \(in requests\), and Authentication-Info \(in responses other than 401 status\).) A
0 -529.4 M
3.01210928 0 32 0 0 (These headers follow a common framework described in ) A
gsave
newpath
277 -530.5 M
110.84375 0 RL
stroke
grestore
3.01210928 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [275.964844 -532.198669 388.808594 -520.098694] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
3.01210928 0 32 0 0 (. The detailed) A
0 -542.6 M
(meanings for these headers are contained in ) S
gsave
newpath
195.1 -543.7 M
41.2382812 0 RL
stroke
grestore
(Section\2404) S
[/Rect [194.144531 -545.398682 237.382812 -533.298706] /Subtype /Link /Border [0 0 0] /Dest /48 /ANN pdfmark
(. ) S
0 -566.8 M
1.70039058 0 32 0 0 (The framework in ) A
gsave
newpath
87.2 -567.9 M
110.84375 0 RL
stroke
grestore
1.70039058 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [86.2460938 -569.598694 199.089844 -557.498718] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
1.70039058 0 32 0 0 ( defines the syntax for the headers WWW-Authenticate) A
0 -580 M
5.98007822 0 32 0 0 (and Authorization as the syntax elements "challenge" and "credentials", respectively. The) A
0 -593.2 M
0.879261374 0 32 0 0 ("auth-scheme" contained in those headers MUST be "Mutual" throughout this protocol specification.) A
0 -606.4 M
1.36077011 0 32 0 0 (The syntax for "challenge" and "credentials" to be used with the "Mutual" auth-scheme SHALL be) A
0 -619.6 M
(name-value pairs \(#auth-param\), not the "b64token" defined in ) S
gsave
newpath
279.3 -620.7 M
110.84375 0 RL
stroke
grestore
([I-D.ietf-httpbis-p7-auth]) S
[/Rect [278.257812 -622.398743 391.101562 -610.298767] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
(. ) S
0 -630.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 10 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 11 11
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.66741073 0 32 0 0 (The Authentication-Info: header used in this protocol SHALL contain the value in same syntax as) A
0 -26.4 M
(those the "WWW-Authenticate" header, i.e. the "challenge" syntax element. ) S
0 -50.6 M
5.98366499 0 32 0 0 (In HTTP, the WWW-Authenticate header may contain more than one challenges. Client) A
0 -63.8 M
(implementations SHOULD be aware of and be capable of handle those cases correctly. ) S
0 -74.8 M
[/View [/XYZ -4 682.2 null] /Dest /38 /DEST pdfmark
0 -74.8 M
[/View [/XYZ -4 682.2 null] /Dest /39 /DEST pdfmark
0 -90.4 M
%%IncludeResource: font Times-Bold
13 2 Nf
(3.1.) S
[/View [/XYZ -4 682.2 null] /Dest /183 /DEST pdfmark
( ) S
(Values) S
0 -114.6 M
11 0 Nf
1.18489587 0 32 0 0 (The parameter values contained in challenge/credentials MUST be parsed strictly conforming to the) A
0 -127.8 M
0.739483178 0 32 0 0 (HTTP semantics \(especially un-quoting of the string parameter values\). In this protocol, those values) A
0 -141 M
0.370768219 0 32 0 0 (are further categorized into the following value types: tokens \(bare-token and extensive-token\), string,) A
0 -154.2 M
(integer, hex-fixed-number, and ) S
(base64-fixed-number.) S
0 -178.4 M
2.53417969 0 32 0 0 (For clarity, implementations are encouraged to use the canonical representations specified in the) A
0 -191.6 M
2.45205975 0 32 0 0 (following subsections for sending values. Recipients SHOULD accept both quoted and unquoted) A
0 -204.8 M
(representations interchangeably as specified in ) S
(HTTP.) S
0 -215.8 M
[/View [/XYZ -4 541.2 null] /Dest /40 /DEST pdfmark
0 -215.8 M
[/View [/XYZ -4 541.2 null] /Dest /41 /DEST pdfmark
0 -231.4 M
13 2 Nf
(3.1.1.) S
[/View [/XYZ -4 541.2 null] /Dest /184 /DEST pdfmark
( ) S
(Tokens) S
0 -255.6 M
11 0 Nf
3.21623874 0 32 0 0 (For sustaining both security and extensibility at the same time, this protocol defines a stricter) A
0 -268.8 M
1.90324521 0 32 0 0 (sub-syntax for the "token" to be used. The extensive-token values SHOULD follow the following) A
0 -282 M
(syntax \(after HTTP value parsing\): ) S
0 -293 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -304 M
[/View [/XYZ -4 453.0 null] /Dest /42 /DEST pdfmark
0 -314.8 M
%%IncludeResource: font Courier
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(bare-token) S
9.0 4 Nf
( = 1*\() S
9.0 5 Nf
(DIGIT) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(ALPHA) S
9.0 4 Nf
( / "-" / "_"\)) S
0 -325.6 M
9.0 4 Nf
( ) S
9.0 5 Nf
(extension-token) S
9.0 4 Nf
( = "-" ) S
9.0 5 Nf
(bare-token) S
9.0 4 Nf
( 1*\("." ) S
9.0 5 Nf
(bare-token) S
9.0 4 Nf
(\)) S
0 -336.4 M
9.0 4 Nf
( ) S
9.0 5 Nf
(extensive-token) S
9.0 4 Nf
( = ) S
9.0 5 Nf
(bare-token) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(extension-token) S
163 -359.3 M
7.63889 2 Nf
(\240Figure\2403: BNF syntax for token ) S
(values\240) S
0 -373.2 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -397.4 M
11 0 Nf
1.79459631 0 32 0 0 (The tokens \(bare-token and extension-token\) are case insensitive; Senders SHOULD send these in) A
0 -410.6 M
2.85787249 0 32 0 0 (lower-case, and receivers MUST accept both upper- and lower-cases. When tokens are used as) A
0 -423.8 M
(\(partial\) inputs to any hash or other mathematical functions, it MUST always be used in lower-case. ) S
0 -448 M
4.59314919 0 32 0 0 (Extensive-tokens are used in this protocol where the set of acceptable tokens may include) A
0 -461.2 M
6.2718749 0 32 0 0 (non-standard extensions. Any non-standard extensions of this protocol SHOULD use the) A
0 -474.4 M
1.95800781 0 32 0 0 (extension-tokens with format "-<bare-token>.<domain-name>", where <domain-name> is a validly) A
0 -487.6 M
(registered \(sub-\)domain name on the Internet owned by the party who defines the extensions. ) S
0 -511.8 M
0.296596 0 32 0 0 (Bare-tokens and extensive-tokens are also used for parameter names \(of course in the unquoted form\).) A
0 -525 M
(Requirements for using the extension-token for the parameter names are the same as the ) S
(above.) S
0 -549.2 M
(The canonical format for bare-tokens and tokens are unquoted ) S
(tokens.) S
0 -560.2 M
[/View [/XYZ -4 196.751343 null] /Dest /43 /DEST pdfmark
0 -560.2 M
[/View [/XYZ -4 196.751343 null] /Dest /44 /DEST pdfmark
0 -575.8 M
13 2 Nf
(3.1.2.) S
[/View [/XYZ -4 196.751343 null] /Dest /185 /DEST pdfmark
( ) S
(Strings) S
0 -600 M
11 0 Nf
2.47836542 0 32 0 0 (All character strings outside ASCII character sets MUST be encoded using the ) A
gsave
newpath
378.5 -601.1 M
35.1619606 0 RL
stroke
grestore
2.47836542 0 32 0 0 (UTF-8 ) A
gsave
newpath
413.7 -601.1 M
40.3203125 0 RL
stroke
grestore
2.47836542 0 32 0 0 (encoding) A
[/Rect [377.496094 -602.798645 454.976562 -590.698669] /Subtype /Link /Border [0 0 0] /Dest /108 /ANN pdfmark
0 -613.2 M
3.7858665 0 32 0 0 ([RFC3629] for the ) A
gsave
newpath
96 -614.3 M
114.27166 0 RL
stroke
grestore
3.7858665 0 32 0 0 (ISO 10646-1 character ) A
gsave
newpath
210.2 -614.3 M
12.2148438 0 RL
stroke
grestore
3.7858665 0 32 0 0 (set) A
[/Rect [94.96875 -615.998657 223.453125 -603.898682] /Subtype /Link /Border [0 0 0] /Dest /117 /ANN pdfmark
3.7858665 0 32 0 0 ( [ISO.10646-1.1993], without any leading BOM) A
0 -626.4 M
0.481670678 0 32 0 0 (characters. Both peers are RECOMMENDED to reject any invalid UTF-8 sequences that might cause) A
0 -639.6 M
3.49302459 0 32 0 0 (decoding ambiguities \(e.g., containing <"> in the second or later byte of the UTF-8 encoded) A
0 -652.8 M
(characters\). ) S
0 -652.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 11 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 12 12
%%PageResources: font Times-Roman Times-Bold Courier Courier-Oblique Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.0703125 0 32 0 0 (If strings are representing a domain name or URI that contains non-ASCII characters, the host parts) A
0 -26.4 M
0.763327181 0 32 0 0 (SHOULD be encoded as it is used in the HTTP protocol layer \(e.g.\240in a Host: header\); under current) A
0 -39.6 M
(standards it will be the one defined in ) S
gsave
newpath
168 -40.7 M
50.1054688 0 RL
stroke
grestore
([RFC5890]) S
[/Rect [166.988281 -42.3500023 219.09375 -30.2500019] /Subtype /Link /Border [0 0 0] /Dest /127 /ANN pdfmark
(. It SHOULD use lower-case ASCII characters. ) S
0 -63.8 M
(The canonical format for strings are ) S
(quoted-string.) S
0 -74.8 M
[/View [/XYZ -4 682.2 null] /Dest /45 /DEST pdfmark
0 -74.8 M
[/View [/XYZ -4 682.2 null] /Dest /46 /DEST pdfmark
0 -90.4 M
%%IncludeResource: font Times-Bold
13 2 Nf
(3.1.3.) S
[/View [/XYZ -4 682.2 null] /Dest /186 /DEST pdfmark
( ) S
(Numbers) S
0 -114.6 M
11 0 Nf
(The following syntax definitions gives a syntax for number-type ) S
(values:) S
0 -125.6 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -136.6 M
[/View [/XYZ -4 620.4 null] /Dest /47 /DEST pdfmark
0 -147.4 M
%%IncludeResource: font Courier
9.0 4 Nf
( ) S
%%IncludeResource: font Courier-Oblique
9.0 5 Nf
(integer) S
9.0 4 Nf
( = "0" / \(%x31-39 *) S
9.0 5 Nf
(DIGIT) S
9.0 4 Nf
(\) ) S
9.0 5 Nf
(; no leading zeros) S
0 -158.2 M
9.0 4 Nf
( ) S
9.0 5 Nf
(hex-fixed-number) S
9.0 4 Nf
( = 1*\(2\() S
9.0 5 Nf
(DIGIT) S
9.0 4 Nf
( / %x41-46 / %x61-66\)\)) S
0 -169 M
9.0 4 Nf
( ) S
9.0 5 Nf
(base64-fixed-number) S
9.0 4 Nf
( = 1*\( ) S
9.0 5 Nf
(ALPHA) S
9.0 4 Nf
( / ) S
9.0 5 Nf
(DIGIT) S
9.0 4 Nf
( /) S
0 -179.8 M
( "-" / "." / "_" / "~" / "+" / "/" \) *"=") S
160.8 -202.7 M
7.63889 2 Nf
(\240Figure\2404: BNF syntax for number ) S
(types\240) S
0 -216.6 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -240.8 M
11 0 Nf
1.88560271 0 32 0 0 (The syntax definition of the integers only allows representations that do not contain extra leading) A
0 -254 M
(zeros. ) S
0 -278.2 M
1.58864188 0 32 0 0 (The numbers represented as a hex-fixed-number MUST include an even number of characters \(i.e.) A
0 -291.4 M
0.469029 0 32 0 0 (multiples of eight bits\). Those values are case-insensitive, and SHOULD be sent in lower-case. When) A
0 -304.6 M
0.591947138 0 32 0 0 (these values are generated from any cryptographic values, they SHOULD have their "natural length":) A
0 -317.8 M
1.36547852 0 32 0 0 (if these are generated from a hash function, these lengths SHOULD correspond to the hash size; if) A
0 -331 M
0.540625 0 32 0 0 (these are representing elements of a mathematical set \(or group\), its lengths SHOULD be the shortest) A
0 -344.2 M
0.241727948 0 32 0 0 (for representing all the elements in the set. For example, any results of SHA-256 hash function will be) A
0 -357.4 M
1.38560271 0 32 0 0 (represented by 64 characters, and any elements in 2048-bit prime field \(modulo a 2048-bit integer\)) A
0 -370.6 M
1.62706804 0 32 0 0 (will be represented by 512 characters, regardless of how much 0's will be appear in front of such) A
0 -383.8 M
1.20849609 0 32 0 0 (representations. Session-identifiers and other non-cryptographically generated values are represented) A
0 -397 M
0.024522569 0 32 0 0 (in any \(even\) length determined by the side who generates it first, and the same length SHALL be used) A
0 -410.2 M
(throughout the all communications by both peers. ) S
0 -434.4 M
0.0600961521 0 32 0 0 (The numbers represented as base64-fixed-number SHALL be generated as follows: first, the number is) A
0 -447.6 M
3.04352689 0 32 0 0 (converted to a big-endian radix-256 binary representation as an octet string. The length of the) A
0 -460.8 M
0.965625 0 32 0 0 (representation is determined in the same way as mentioned above. Then, the string is encoded using ) A
0 -474 M
gsave
newpath
0 -475.1 M
64.2542572 0 RL
stroke
grestore
3.39595175 0 32 0 0 (the Base 64 ) A
gsave
newpath
64.2 -475.1 M
40.3203125 0 RL
stroke
grestore
3.39595175 0 32 0 0 (encoding) A
[/Rect [-1.0 -476.798828 105.570312 -464.698822] /Subtype /Link /Border [0 0 0] /Dest /110 /ANN pdfmark
3.39595175 0 32 0 0 ( [RFC4648] without any spaces and newlines. Implementations decoding) A
0 -487.2 M
3.34548616 0 32 0 0 (base64-fixed-number SHOULD reject any input data with invalid characters, excess/insufficient) A
0 -500.4 M
(paddings, or non-canonical pad bits \(See Sections 3.1 to 3.5 of ) S
gsave
newpath
278 -501.5 M
50.1054688 0 RL
stroke
grestore
([RFC4648]) S
[/Rect [276.964844 -503.198853 329.070312 -491.098846] /Subtype /Link /Border [0 0 0] /Dest /110 /ANN pdfmark
(\). ) S
0 -524.6 M
5.2320962 0 32 0 0 (The canonical format for integer and hex-fixed-number are unquoted tokens, and that for) A
0 -537.8 M
(base64-fixed-number is ) S
(quoted-string.) S
0 -548.8 M
[/View [/XYZ -4 208.151123 null] /Dest /48 /DEST pdfmark
0 -548.8 M
[/View [/XYZ -4 208.151123 null] /Dest /49 /DEST pdfmark
0 -567.8 M
15 2 Nf
(4.) S
[/View [/XYZ -4 207.151123 null] /Dest /187 /DEST pdfmark
( ) S
(Messages) S
0 -592 M
11 0 Nf
0.961914062 0 32 0 0 (In this section we define the seven kinds of messages used in the authentication protocol along with) A
0 -605.2 M
(the formats and requirements of the headers for each message. ) S
0 -629.4 M
(To determine which message are expected to be sent, see Sections ) S
gsave
newpath
293.8 -630.5 M
5.5 0 RL
stroke
grestore
(9) S
[/Rect [292.800781 -632.198914 300.300781 -620.098938] /Subtype /Link /Border [0 0 0] /Dest /70 /ANN pdfmark
( and ) S
gsave
newpath
320.7 -630.5 M
11.0 0 RL
stroke
grestore
(10) S
[/Rect [319.683594 -632.198914 332.683594 -620.098938] /Subtype /Link /Border [0 0 0] /Dest /73 /ANN pdfmark
(.) S
0 -629.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 12 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 13 13
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
2.9432292 0 32 0 0 (In the descriptions below, the type of allowable values for each header parameter is shown in) A
0 -26.4 M
1.64737213 0 32 0 0 (parenthesis after each parameter name. The "algorithm-determined" type means that the acceptable) A
0 -39.6 M
0.506167769 0 32 0 0 (value for the parameter is one of the types defined in ) A
gsave
newpath
240.4 -40.7 M
41.2382812 0 RL
stroke
grestore
0.506167769 0 32 0 0 (Section\2403) A
[/Rect [239.394531 -42.3500023 282.632812 -30.2500019] /Subtype /Link /Border [0 0 0] /Dest /36 /ANN pdfmark
0.506167769 0 32 0 0 (, and is determined by the value of the) A
0 -52.8 M
0.0465494804 0 32 0 0 ("algorithm" parameter. The parameters marked "mandatory" SHALL be contained in the message. The) A
0 -66 M
2.75292969 0 32 0 0 (parameters marked "non-mandatory" MAY either be contained or omitted in the message. Each) A
0 -79.2 M
(parameter SHALL appear in each headers exactly once at most. ) S
0 -103.4 M
0.927884638 0 32 0 0 (All credentials and challenges MAY contain any parameters not explicitly specified in the following) A
0 -116.6 M
0.14993991 0 32 0 0 (sections. Recipients who do not understand such parameters MUST silently ignore those. However, all) A
0 -129.8 M
(credentials and challenges MUST meet the following ) S
(criteria:) S
11 -150.4 M
gsave
0 setgray
newpath
11.0 -150.37 2.75 0 360 arc
closepath
fill
grestore
22 -154 M
0.453683048 0 32 0 0 (For responses, the parameters "reason", any "ks*" \(where * stands for any decimal integers\), and) A
22 -167.2 M
0.408854157 0 32 0 0 ("vks" are mutually exclusive: any challenge MUST\240NOT contain two or more parameters among) A
22 -180.4 M
(them. They MUST\240NOT contain any "kc*" and "vkc" parameters. ) S
11 -191 M
gsave
0 setgray
newpath
11.0 -190.969986 2.75 0 360 arc
closepath
fill
grestore
22 -194.6 M
2.22154021 0 32 0 0 (For requests, the parameters "kc*" \(where * stands for any decimal integers\), and "vks" are) A
22 -207.8 M
0.417317718 0 32 0 0 (mutually exclusive and any challenge MUST\240NOT contain two or more parameters among them.) A
22 -221 M
(They MUST\240NOT contain any "ks*" and "vks" parameters. ) S
0 -232 M
[/View [/XYZ -4 525.0 null] /Dest /50 /DEST pdfmark
0 -232 M
[/View [/XYZ -4 525.0 null] /Dest /51 /DEST pdfmark
0 -247.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(4.1.) S
[/View [/XYZ -4 525.0 null] /Dest /188 /DEST pdfmark
( 401-INIT and ) S
(401-STALE) S
0 -271.8 M
11 0 Nf
3.64950275 0 32 0 0 (Every 401-INIT or 401-STALE message SHALL be a valid HTTP 401-status \(Authentication) A
0 -285 M
9.42226601 0 32 0 0 (Required\) message containing one \(and only one: hereafter not explicitly noticed\)) A
0 -298.2 M
3.81523442 0 32 0 0 ("WWW-Authenticate" header containing a "reason" parameter in the challenge. The challenge) A
0 -311.4 M
1.52974761 0 32 0 0 (SHALL contain all of the parameters marked "mandatory" below, and MAY contain those marked) A
0 -324.6 M
("non-mandatory". ) S
11 -348.8 M
(version: ) S
33 -362 M
3.60546875 0 32 0 0 (\(mandatory extensive-token\) should be the token "-draft11" in this specification. The) A
33 -375.2 M
(behavior is undefined when other values are specified. ) S
11 -388.4 M
(algorithm: ) S
33 -401.6 M
1.87656248 0 32 0 0 (\(mandatory extensive-token\) specifies the authentication algorithm to be used. The value) A
33 -414.8 M
5.11406231 0 32 0 0 (MUST be one of the tokens specified in ) A
gsave
newpath
252.3 -415.9 M
143.222656 0 RL
stroke
grestore
5.11406231 0 32 0 0 ([I-D.oiwa-http-mutualauth-algo]) A
[/Rect [251.285156 -417.55011 396.507812 -405.450104] /Subtype /Link /Border [0 0 0] /Dest /116 /ANN pdfmark
5.11406231 0 32 0 0 ( or other) A
33 -428 M
(supplemental specification documentation. ) S
11 -441.2 M
(validation: ) S
33 -454.4 M
1.34339488 0 32 0 0 (\(mandatory extensive-token\) specifies the method of host validation. The value MUST be) A
33 -467.6 M
2.42818499 0 32 0 0 (one of the tokens described in ) A
gsave
newpath
181.9 -468.7 M
41.2382812 0 RL
stroke
grestore
2.42818499 0 32 0 0 (Section\2407) A
[/Rect [180.945312 -470.350159 224.183594 -458.250153] /Subtype /Link /Border [0 0 0] /Dest /66 /ANN pdfmark
2.42818499 0 32 0 0 (, or the tokens specified in other supplemental) A
33 -480.8 M
(specification documentation. ) S
11 -494 M
(auth-domain: ) S
33 -507.2 M
1.41015625 0 32 0 0 (\(non-mandatory string\) specifies the authentication domain, the set of hosts for which the) A
33 -520.4 M
0.424107134 0 32 0 0 (authentication credentials are valid. It MUST be one of the strings described in ) A
gsave
newpath
388.5 -521.5 M
41.2382812 0 RL
stroke
grestore
0.424107134 0 32 0 0 (Section\2405) A
[/Rect [387.488281 -523.150208 430.726562 -511.050201] /Subtype /Link /Border [0 0 0] /Dest /60 /ANN pdfmark
0.424107134 0 32 0 0 (. If) A
33 -533.6 M
(the value is omitted, it is assumed to be the "single-port" type domain in ) S
gsave
newpath
353.2 -534.7 M
41.2382812 0 RL
stroke
grestore
(Section\2405) S
[/Rect [352.230469 -536.35022 395.46875 -524.250244] /Subtype /Link /Border [0 0 0] /Dest /60 /ANN pdfmark
(. ) S
11 -546.8 M
(realm: ) S
33 -560 M
1.43652344 0 32 0 0 (\(mandatory string\) is a UTF-8 encoded string representing the name of the authentication) A
33 -573.2 M
0.594140649 0 32 0 0 (realm inside the authentication domain. As specified in ) A
gsave
newpath
283 -574.3 M
110.84375 0 RL
stroke
grestore
0.594140649 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [282.007812 -575.950256 394.851562 -563.850281] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
0.594140649 0 32 0 0 (, this value) A
33 -586.4 M
(MUST always be sent in the quoted-string form. ) S
11 -599.6 M
(pwd-hash: ) S
33 -612.8 M
1.1789062 0 32 0 0 (\(non-mandatory extensive-token\) specifies the hash algorithm \(hereafter referred to by ph\)) A
33 -626 M
(used for additionally hashing the password. The valid tokens are ) S
44 -636.6 M
gsave
0 setgray
newpath
44.0 -636.570312 2.75 0 360 arc
closepath
fill
grestore
55 -640.2 M
(none: ph\(p\) = p ) S
44 -650.8 M
gsave
0 setgray
newpath
44.0 -650.770325 2.75 0 360 arc
closepath
fill
grestore
55 -654.4 M
(md5: ph\(p\) = MD5\(p\) ) S
44 -665 M
gsave
0 setgray
newpath
44.0 -664.970337 2.75 0 360 arc
closepath
fill
grestore
55 -668.6 M
0.602050781 0 32 0 0 (digest-md5: ph\(p\) = MD5\(username | ":" | realm | ":" | p\), the same value as MD5\(A1\)) A
55 -668.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 13 -) S
0 setgray
110 -8 M
grestore
pgsave restore N
%%Page: 14 14
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
55 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(for "MD5" algorithm in ) S
gsave
newpath
162.3 -14.3 M
50.1054688 0 RL
stroke
grestore
([RFC2617]) S
[/Rect [161.324219 -15.9500008 213.429688 -3.85000038] /Subtype /Link /Border [0 0 0] /Dest /121 /ANN pdfmark
(. ) S
44 -23.8 M
gsave
0 setgray
newpath
44.0 -23.77 2.75 0 360 arc
closepath
fill
grestore
55 -27.4 M
11 0 Nf
(sha1: ph\(p\) = ) S
(SHA1\(p\)) S
33 -40.6 M
(If omitted, the value "none" is assumed. The use of "none" is recommended. ) S
11 -53.8 M
(reason: ) S
33 -67 M
2.01649308 0 32 0 0 (\(mandatory extensive-token\) SHALL be an extensive-token which describes the possible) A
33 -80.2 M
5.58029509 0 32 0 0 (reason of the failed authentication/authorization. Both servers and clients SHALL) A
33 -93.4 M
(understand and support the following three tokens: ) S
44 -104 M
gsave
0 setgray
newpath
44.0 -103.969994 2.75 0 360 arc
closepath
fill
grestore
55 -107.6 M
1.28320312 0 32 0 0 (initial: authentication was not tried because there was no Authorization header in the) A
55 -120.8 M
(corresponding request. ) S
44 -131.4 M
gsave
0 setgray
newpath
44.0 -131.37 2.75 0 360 arc
closepath
fill
grestore
55 -135 M
0.923270106 0 32 0 0 (stale-session: the provided sid; in the request was either unknown to or expired in the) A
55 -148.2 M
(server. ) S
44 -158.8 M
gsave
0 setgray
newpath
44.0 -158.769989 2.75 0 360 arc
closepath
fill
grestore
55 -162.4 M
3.45348 0 32 0 0 (auth-failed: authentication trial was failed by some reasons, possibly with a bad) A
55 -175.6 M
(authentication ) S
(credentials.) S
33 -188.8 M
0.13125 0 32 0 0 (Implementations MAY support the following tokens or any extensive-tokens defined outside) A
33 -202 M
0.362680286 0 32 0 0 (this specification. If clients has received any unknown tokens, these SHOULD treat these as) A
33 -215.2 M
(if it were "auth-failed" or "initial". ) S
44 -225.8 M
gsave
0 setgray
newpath
44.0 -225.769974 2.75 0 360 arc
closepath
fill
grestore
55 -229.4 M
0.630642354 0 32 0 0 (reauth-needed: server-side application requires a new authentication trial, regardless of) A
55 -242.6 M
(the current status. ) S
44 -253.2 M
gsave
0 setgray
newpath
44.0 -253.169968 2.75 0 360 arc
closepath
fill
grestore
55 -256.8 M
1.23671877 0 32 0 0 (invalid-parameters: authentication was not even tried in the server-side because some) A
55 -270 M
(parameters are not acceptable. ) S
44 -280.6 M
gsave
0 setgray
newpath
44.0 -280.569977 2.75 0 360 arc
closepath
fill
grestore
55 -284.2 M
0.115559898 0 32 0 0 (internal-error: authentication was not even tried in the server-side because there is some) A
55 -297.4 M
(troubles on the server-side. ) S
44 -308 M
gsave
0 setgray
newpath
44.0 -307.97 2.75 0 360 arc
closepath
fill
grestore
55 -311.6 M
0.7890625 0 32 0 0 (user-unknown: a special case of auth-failed, suggesting that the provided user-name is) A
55 -324.8 M
0.284765631 0 32 0 0 (invalid. The use of this parameter is NOT\240RECOMMENDED for security implications,) A
55 -338 M
(except for special-purpose applications which makes this value sense. ) S
44 -348.6 M
gsave
0 setgray
newpath
44.0 -348.570038 2.75 0 360 arc
closepath
fill
grestore
55 -352.2 M
4.96614599 0 32 0 0 (invalid-credential: ditto, suggesting that the provided user-name was valid but) A
55 -365.4 M
0.759943187 0 32 0 0 (authentication was failed. The use of this parameter is NOT\240RECOMMENDED as the) A
55 -378.6 M
(same as the above. ) S
44 -389.2 M
gsave
0 setgray
newpath
44.0 -389.170074 2.75 0 360 arc
closepath
fill
grestore
55 -392.8 M
1.12428975 0 32 0 0 (authz-failed: authentication was successful, but access to the specified resource is not) A
55 -406 M
0.801432312 0 32 0 0 (authorized to the specific authenticated user. \(It is different from 403 responses which) A
55 -419.2 M
(suggest that the reason of inaccessibility is other that ) S
(authentication.\)) S
0 -443.4 M
0.172135413 0 32 0 0 (The algorithm specified in this header will determine the types \(among those defined in ) A
gsave
newpath
390.3 -444.5 M
41.2382812 0 RL
stroke
grestore
0.172135413 0 32 0 0 (Section\2403) A
[/Rect [389.292969 -446.150116 432.53125 -434.05011] /Subtype /Link /Border [0 0 0] /Dest /36 /ANN pdfmark
0.172135413 0 32 0 0 (\) and) A
0 -456.6 M
11 0 Nf
(the values for ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( and ) S
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(. ) S
0.0 -2.2 RM
0 -483 M
2.94050479 0 32 0 0 (Among these messages, those with the reason parameter of value "stale-session" will be called) A
0 -496.2 M
3.44108081 0 32 0 0 ("401-STALE" messages hereafter, because these have a special meaning in the protocol flow.) A
0 -509.4 M
(Messages with any other reason parameters will be called "401-INIT" messages. ) S
0 -520.4 M
[/View [/XYZ -4 236.599854 null] /Dest /52 /DEST pdfmark
0 -520.4 M
[/View [/XYZ -4 236.599854 null] /Dest /53 /DEST pdfmark
0 -536 M
%%IncludeResource: font Times-Bold
13 2 Nf
(4.2.) S
[/View [/XYZ -4 236.599854 null] /Dest /189 /DEST pdfmark
( ) S
(req-KEX-C1) S
0 -560.2 M
11 0 Nf
0.384440094 0 32 0 0 (Every req-KEX-C1 message SHALL be a valid HTTP request message containing an "Authorization") A
0 -573.4 M
(header with a credential containing a "kc1" parameter. ) S
0 -597.6 M
(The credential SHALL contain the parameters with the following names: ) S
11 -621.8 M
(version: ) S
33 -635 M
3.33046865 0 32 0 0 (\(mandatory, extensive-token\) should be the token "-draft11" in this specification. The) A
33 -648.2 M
(behavior is undefined when other values are specified. ) S
33 -648.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 14 -) S
0 setgray
22 -8 M
grestore
pgsave restore N
%%Page: 15 15
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(algorithm, validation, auth-domain, realm: ) S
33 -26.4 M
(MUST be the same value as it is when received from the server. ) S
11 -39.6 M
(user: ) S
33 -52.8 M
0.581542969 0 32 0 0 (\(mandatory, string\) is the UTF-8 encoded name of the user. If this name comes from a user) A
33 -66 M
3.03476572 0 32 0 0 (input, client software SHOULD prepare the string using ) A
gsave
newpath
306.8 -67.1 M
46.4296875 0 RL
stroke
grestore
3.03476572 0 32 0 0 (SASLprep) A
[/Rect [305.78125 -68.75 354.210938 -56.65] /Subtype /Link /Border [0 0 0] /Dest /109 /ANN pdfmark
3.03476572 0 32 0 0 ( [RFC4013] before) A
33 -79.2 M
(encoding it to UTF-8. ) S
11 -92.4 M
(kc1: ) S
33 -105.6 M
11 0 Nf
2.62011719 0 32 0 0 (\(mandatory, algorithm-determined\) is the client-side key exchange value ) A
2.62011719 0 32 0 0 (K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.62011719 0 32 0 0 (c1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.62011719 0 32 0 0 (, which is) A
0.0 -2.2 RM
33 -121 M
(specified by the algorithm that is used. ) S
11 -134.2 M
(rekey-sid: ) S
33 -147.4 M
2.27392578 0 32 0 0 (\(non-mandatory, hex-fixed-number\): reserved for future extensions \(see rekey-method in) A
33 -160.6 M
("200-VFY-S" message\). ) S
0 -171.6 M
[/View [/XYZ -4 585.4 null] /Dest /54 /DEST pdfmark
0 -171.6 M
[/View [/XYZ -4 585.4 null] /Dest /55 /DEST pdfmark
0 -187.2 M
%%IncludeResource: font Times-Bold
13 2 Nf
(4.3.) S
[/View [/XYZ -4 585.4 null] /Dest /190 /DEST pdfmark
( ) S
(401-KEX-S1) S
0 -211.4 M
11 0 Nf
0.484019876 0 32 0 0 (Every 401-KEX-S1 message SHALL be a valid HTTP 401-status \(Authentication Required\) response) A
0 -224.6 M
(message containing a "WWW-Authenticate" header with a challenge containing a "ks1" parameter. ) S
0 -248.8 M
(The challenge SHALL contain the parameters with the following names: ) S
11 -273 M
(version: ) S
33 -286.2 M
3.33046865 0 32 0 0 (\(mandatory, extensive-token\) should be the token "-draft11" in this specification. The) A
33 -299.4 M
(behavior is undefined when other values are specified. ) S
11 -312.6 M
(algorithm, validation, auth-domain, realm: ) S
33 -325.8 M
(MUST be the same value as it is when received from the client. ) S
11 -339 M
(sid: ) S
33 -352.2 M
1.51171875 0 32 0 0 (\(mandatory, hex-fixed-number\) MUST be a session identifier, which is a random integer.) A
33 -365.4 M
0.197753906 0 32 0 0 (The sid SHOULD have uniqueness of at least 80 bits or the square of the maximal estimated) A
33 -378.6 M
1.4016335 0 32 0 0 (transactions concurrently available in the session table, whichever is larger. See ) A
gsave
newpath
401.7 -379.7 M
41.2382812 0 RL
stroke
grestore
1.4016335 0 32 0 0 (Section\2406) A
[/Rect [400.726562 -381.350098 443.964844 -369.250092] /Subtype /Link /Border [0 0 0] /Dest /64 /ANN pdfmark
33 -391.8 M
(for more details. ) S
11 -405 M
(ks1: ) S
33 -418.2 M
11 0 Nf
2.42285156 0 32 0 0 (\(mandatory, algorithm-determined\) is the server-side key exchange value ) A
2.42285156 0 32 0 0 (K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.42285156 0 32 0 0 (s1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.42285156 0 32 0 0 (, which is) A
0.0 -2.2 RM
33 -433.6 M
(specified by the algorithm. ) S
11 -446.8 M
(nc-max: ) S
33 -460 M
(\(mandatory, integer\) is the maximal value of nonce counts that the server accepts. ) S
11 -473.2 M
(nc-window: ) S
33 -486.4 M
1.72716343 0 32 0 0 (\(mandatory, integer\) the number of available nonce slots that the server will accept. The) A
33 -499.6 M
(value of the nc-window parameter is RECOMMENDED to be 32 or more. ) S
11 -512.8 M
(time: ) S
33 -526 M
0.670072138 0 32 0 0 (\(mandatory, integer\) represents the suggested time \(in seconds\) that the client can reuse the) A
33 -539.2 M
1.03662109 0 32 0 0 (session represented by the sid. It is RECOMMENDED to be at least 60. The value of this) A
33 -552.4 M
1.69947922 0 32 0 0 (parameter is not directly linked to the duration that the server keeps track of the session) A
33 -565.6 M
(represented by the sid. ) S
11 -578.8 M
(path: ) S
33 -592 M
1.61425781 0 32 0 0 (\(non-mandatory, string\) specifies which path in the URI space the same authentication is) A
33 -605.2 M
0.565716922 0 32 0 0 (expected to be applied. The value is a space-separated list of URIs, in the same format as it) A
33 -618.4 M
0.189453125 0 32 0 0 (was specified in domain parameter ) A
gsave
newpath
190 -619.5 M
50.1054688 0 RL
stroke
grestore
0.189453125 0 32 0 0 ([RFC2617]) A
[/Rect [188.992188 -621.150269 241.097656 -609.050293] /Subtype /Link /Border [0 0 0] /Dest /121 /ANN pdfmark
0.189453125 0 32 0 0 ( for the Digest authentications, and clients are) A
33 -631.6 M
0.442382812 0 32 0 0 (RECOMMENDED to recognize it. The all path elements contained in the parameter MUST) A
33 -644.8 M
(be inside the specified auth-domain: if not, clients SHOULD ignore such elements. ) S
11 -644.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 15 -) S
0 setgray
22 -8 M
grestore
pgsave restore N
%%Page: 16 16
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /56 /DEST pdfmark
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /57 /DEST pdfmark
0 -15.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(4.4.) S
[/View [/XYZ -4 757.0 null] /Dest /191 /DEST pdfmark
( ) S
(req-VFY-C) S
0 -39.8 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.893229187 0 32 0 0 (Every req-VFY-C message SHALL be a valid HTTP request message containing an "Authorization") A
0 -53 M
(header with a credential containing a "vkc" parameter. ) S
0 -77.2 M
(The parameters contained in the header are as follows: ) S
11 -101.4 M
(version: ) S
33 -114.6 M
3.33046865 0 32 0 0 (\(mandatory, extensive-token\) should be the token "-draft11" in this specification. The) A
33 -127.8 M
(behavior is undefined when other values are specified. ) S
11 -141 M
(algorithm, validation, auth-domain, realm: ) S
33 -154.2 M
(MUST be the same value as it is when received from the server for the session. ) S
11 -167.4 M
(sid: ) S
33 -180.6 M
0.903846145 0 32 0 0 (\(mandatory, hex-fixed-number\) MUST be one of the sid values that was received from the) A
33 -193.8 M
(server for the same authentication realm. ) S
11 -207 M
(nc: ) S
33 -220.2 M
0.10963542 0 32 0 0 (\(mandatory, integer\) is a nonce value that is unique among the requests sharing the same sid.) A
33 -233.4 M
(The values of the nonces SHOULD satisfy the properties outlined in ) S
gsave
newpath
336.9 -234.5 M
41.2382812 0 RL
stroke
grestore
(Section\2406) S
[/Rect [335.90625 -236.149963 379.144531 -224.049957] /Subtype /Link /Border [0 0 0] /Dest /64 /ANN pdfmark
(. ) S
11 -246.6 M
(vkc: ) S
33 -259.8 M
11 0 Nf
0.822021484 0 32 0 0 (\(mandatory, algorithm-determined\) is the client-side authentication verification value ) A
0.822021484 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.822021484 0 32 0 0 (c) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.822021484 0 32 0 0 (,) A
0.0 -2.2 RM
33 -275.2 M
(which is specified by the algorithm. ) S
0 -286.2 M
[/View [/XYZ -4 470.800018 null] /Dest /58 /DEST pdfmark
0 -286.2 M
[/View [/XYZ -4 470.800018 null] /Dest /59 /DEST pdfmark
0 -301.8 M
13 2 Nf
(4.5.) S
[/View [/XYZ -4 470.800018 null] /Dest /192 /DEST pdfmark
( ) S
(200-VFY-S) S
0 -326 M
11 0 Nf
0.923958361 0 32 0 0 (Every 200-VFY-S message SHALL be a valid HTTP message that is not of the 401 \(Authentication) A
0 -339.2 M
(Required\) status, containing an "Authentication-Info" header with a "vks" parameter. ) S
0 -363.4 M
(The parameters contained in the header are as follows: ) S
11 -387.6 M
(version: ) S
33 -400.8 M
3.33046865 0 32 0 0 (\(mandatory, extensive-token\) should be the token "-draft11" in this specification. The) A
33 -414 M
(behavior is undefined when other values are specified. ) S
11 -427.2 M
(sid: ) S
33 -440.4 M
(\(mandatory, hex-fixed-number\) MUST be the value received from the client. ) S
11 -453.6 M
(vks: ) S
33 -466.8 M
11 0 Nf
0.575439453 0 32 0 0 (\(mandatory, algorithm-determined\) is the server-side authentication verification value ) A
0.575439453 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.575439453 0 32 0 0 (s) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.575439453 0 32 0 0 (,) A
0.0 -2.2 RM
33 -482.2 M
(which is specified by the algorithm. ) S
11 -495.4 M
(logout-timeout: ) S
33 -508.6 M
0.801432312 0 32 0 0 (\(non-mandatory, integer\) is the number of seconds after which the client should re-validate) A
33 -521.8 M
0.992745519 0 32 0 0 (the user's password for the current authentication realm. The value 0 means that the client) A
33 -535 M
2.42534733 0 32 0 0 (SHOULD automatically forget the user-inputted password for the current authentication) A
33 -548.2 M
2.17897725 0 32 0 0 (realm and revert to the unauthenticated state \(i.e.\240server-initiated logout\). This does not,) A
33 -561.4 M
2.98893237 0 32 0 0 (however, mean that the long-term memories for the passwords \(such as the password) A
33 -574.6 M
1.15 0 32 0 0 (reminders and auto fill-ins\) should be removed. If a new timeout value is received for the) A
33 -587.8 M
1.41914058 0 32 0 0 (same authentication realm, it overrides the previous timeout. If logout-timeout parameters) A
33 -601 M
1.60312498 0 32 0 0 (are specified both in an Authentication-Info header and an Authentication-Control header ) A
33 -614.2 M
1.29882812 0 32 0 0 (\() A
gsave
newpath
36.7 -615.3 M
135.890625 0 RL
stroke
grestore
1.29882812 0 32 0 0 ([I-D.oiwa-http-auth-extension]) A
[/Rect [35.6601562 -616.950195 173.550781 -604.85022] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
1.29882812 0 32 0 0 (\), the client SHOULD respect the smaller one of those and) A
33 -627.4 M
(ignore the other. ) S
11 -640.6 M
(rekey-method: ) S
33 -653.8 M
3.68185759 0 32 0 0 (\(non-mandatory, extensive-token\): defining a credential used for reestablishing a new) A
33 -667 M
1.52709961 0 32 0 0 (session with a new sid. It must be either omitted or the token "passwords" at the current) A
33 -667 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 16 -) S
0 setgray
66 -8 M
grestore
pgsave restore N
%%Page: 17 17
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
33 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.339409709 0 32 0 0 (specification. The bare-tokens "refresh-key" and "refresh-key-global" are reserved for future ) A
33 -26.4 M
11 0 Nf
(extensions.) S
0 -50.6 M
2.99080873 0 32 0 0 (The header MUST be sent before the content body: it MUST\240NOT be sent in the trailer of a) A
0 -63.8 M
6.90039062 0 32 0 0 (chunked-encoded response. If a "100 Continue" response is sent from the server, the) A
0 -77 M
(Authentication-Info header SHOULD be included in that response, instead of the final response. ) S
0 -88 M
[/View [/XYZ -4 669.0 null] /Dest /60 /DEST pdfmark
0 -88 M
[/View [/XYZ -4 669.0 null] /Dest /61 /DEST pdfmark
0 -107 M
%%IncludeResource: font Times-Bold
15 2 Nf
(5.) S
[/View [/XYZ -4 668.0 null] /Dest /193 /DEST pdfmark
( Authentication ) S
(Realms) S
0 -131.2 M
11 0 Nf
0.740349293 0 32 0 0 (In this protocol, an "authentication realm" is defined as a set of resources \(URIs\) for which the same) A
0 -144.4 M
0.259033203 0 32 0 0 (set of user names and passwords is valid for. If the server requests authentication for an authentication) A
0 -157.6 M
4.71304083 0 32 0 0 (realm that the client is already authenticated for, the client will automatically perform the) A
0 -170.8 M
0.960582376 0 32 0 0 (authentication using the already-known secrets. However, for the different authentication realms, the) A
0 -184 M
(clients SHOULD\240NOT automatically reuse the usernames and passwords for another realm. ) S
0 -208.2 M
0.645833313 0 32 0 0 (Just like in Basic and Digest access authentication protocols, Mutual authentication protocol supports) A
0 -221.4 M
0.860491097 0 32 0 0 (multiple, separate protection spaces to be set up inside each host. Furthermore, the protocol supports) A
0 -234.6 M
(that a single authentication realm spans over several hosts within the same Internet domain. ) S
0 -258.8 M
0.777043283 0 32 0 0 (Each authentication realm is defined and distinguished by the triple of an "authentication algorithm",) A
0 -272 M
8.33554649 0 32 0 0 (an "authentication domain", and a "realm" parameter. However, server operators are) A
0 -285.2 M
1.16685271 0 32 0 0 (NOT\240RECOMMENDED to use the same pair of an authentication domain and a realm for different) A
0 -298.4 M
(authentication algorithms. ) S
0 -322.6 M
0.967708349 0 32 0 0 (The realm parameter is a string as defined in ) A
gsave
newpath
207.5 -323.7 M
41.2382812 0 RL
stroke
grestore
0.967708349 0 32 0 0 (Section\2404) A
[/Rect [206.488281 -325.350037 249.726562 -313.250031] /Subtype /Link /Border [0 0 0] /Dest /48 /ANN pdfmark
0.967708349 0 32 0 0 (. Authentication domains are described in the) A
0 -335.8 M
(remainder of this section. ) S
0 -360 M
0.457291663 0 32 0 0 (An authentication domain specifies the range of hosts that the authentication realm spans over. In this) A
0 -373.2 M
(protocol, it MUST be one of the following strings. ) S
11 -393.8 M
gsave
0 setgray
newpath
11.0 -393.770081 2.75 0 360 arc
closepath
fill
grestore
22 -397.4 M
0.881944418 0 32 0 0 (Single-server type: The string in format "<scheme>://<host>:<port>", where <scheme>, <host>,) A
22 -410.6 M
0.283447266 0 32 0 0 (and <port> are the corresponding URI parts of the request URI. Even if the request-URI does not) A
22 -423.8 M
1.56578946 0 32 0 0 (have a port part, the string will include one \(i.e. 80 for http and 443 for https\). The port part) A
22 -437 M
3.11523438 0 32 0 0 (MUST\240NOT contain leading zeros. Use this when authentication is only valid for specific) A
22 -450.2 M
(protocol \(such as https\). ) S
11 -460.8 M
gsave
0 setgray
newpath
11.0 -460.770142 2.75 0 360 arc
closepath
fill
grestore
22 -464.4 M
0.763950884 0 32 0 0 (Single-host type: The "host" part of the requested URI. This is the default value. Authentication) A
22 -477.6 M
1.22963166 0 32 0 0 (realms within this kind of authentication domain will span over several protocols \(i.e. http and) A
22 -490.8 M
(https\) and ports, but not over different hosts. ) S
11 -501.4 M
gsave
0 setgray
newpath
11.0 -501.370178 2.75 0 360 arc
closepath
fill
grestore
22 -505 M
1.58810759 0 32 0 0 (Wildcard-domain type: The string in format "*.<domain-postfix>", where <domain-postfix> is) A
22 -518.2 M
0.887408078 0 32 0 0 (either the host part of the requested URI or any domain in which the requested host is included) A
22 -531.4 M
0.577473938 0 32 0 0 (\(this means that the specification "*.example.com" is valid for all of hosts "www.example.com",) A
22 -544.6 M
2.15429688 0 32 0 0 ("web.example.com", "www.sales.example.com" and "example.com"\). The domain-postfix sent) A
22 -557.8 M
0.636948526 0 32 0 0 (from the servers MUST be equal to or included in a valid Internet domain assigned to a specific) A
22 -571 M
0.879743278 0 32 0 0 (organization: if clients know, by some means such as a blacklist for ) A
gsave
newpath
332.8 -572.1 M
31.1219311 0 RL
stroke
grestore
0.879743278 0 32 0 0 (HTTP ) A
gsave
newpath
363.9 -572.1 M
33.5976562 0 RL
stroke
grestore
0.879743278 0 32 0 0 (cookies) A
[/Rect [331.785156 -573.750244 398.503906 -561.650269] /Subtype /Link /Border [0 0 0] /Dest /129 /ANN pdfmark
0.879743278 0 32 0 0 ( [RFC6265],) A
22 -584.2 M
2.0979166 0 32 0 0 (that the specified domain is not to be assigned to any specific organization \(e.g. "*.com" or) A
22 -597.4 M
("*.jp"\), the clients are RECOMMENDED to reject the authentication request. ) S
0 -621.6 M
1.05524552 0 32 0 0 (In the above specifications, every "scheme", "host", and "domain" MUST be in lower-case, and any) A
0 -634.8 M
1.49278843 0 32 0 0 (internationalized domain names beyond the ASCII character set SHALL be represented in the way) A
0 -648 M
0.225360572 0 32 0 0 (they are sent in the underlying HTTP protocol, represented in lower-case characters; i.e.\240these SHALL) A
0 -661.2 M
0.202473953 0 32 0 0 (be in the form of the LDH labels in ) A
gsave
newpath
159.7 -662.3 M
27.484375 0 RL
stroke
grestore
0.202473953 0 32 0 0 (IDNA) A
[/Rect [158.699219 -663.950317 188.183594 -651.850342] /Subtype /Link /Border [0 0 0] /Dest /127 /ANN pdfmark
0.202473953 0 32 0 0 ( [RFC5890]. All "port"s MUST be in the shortest, unsigned,) A
0 -661.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 17 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 18 18
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.51399744 0 32 0 0 (decimal number notation. Not obeying these requirements will cause failure of valid authentication) A
0 -26.4 M
11 0 Nf
(attempts. ) S
0 -37.4 M
[/View [/XYZ -4 719.6 null] /Dest /62 /DEST pdfmark
0 -37.4 M
[/View [/XYZ -4 719.6 null] /Dest /63 /DEST pdfmark
0 -53 M
%%IncludeResource: font Times-Bold
13 2 Nf
(5.1.) S
[/View [/XYZ -4 719.6 null] /Dest /194 /DEST pdfmark
( Resolving ) S
(Ambiguities) S
0 -77.2 M
11 0 Nf
4.1350913 0 32 0 0 (In the above definitions of authentication domains, several domains will overlap each other.) A
0 -90.4 M
0.957331717 0 32 0 0 (Depending on the "path" parameters given in the "401-KEX-S1" message \(see ) A
gsave
newpath
358 -91.5 M
41.2382812 0 RL
stroke
grestore
0.957331717 0 32 0 0 (Section\2404) A
[/Rect [357.015625 -93.1499939 400.253906 -81.0499954] /Subtype /Link /Border [0 0 0] /Dest /48 /ANN pdfmark
0.957331717 0 32 0 0 (\), there may) A
0 -103.6 M
0.519010425 0 32 0 0 (be several candidates when the client is going to send a request including an authentication credential) A
0 -116.8 M
(\(Steps 3 and 4 of the decision procedure presented in ) S
gsave
newpath
235.8 -117.9 M
41.2382812 0 RL
stroke
grestore
(Section\2409) S
[/Rect [234.785156 -119.549988 278.023438 -107.449989] /Subtype /Link /Border [0 0 0] /Dest /70 /ANN pdfmark
(\). ) S
0 -141 M
(If such choices are required, the following procedure SHOULD be ) S
(followed.) S
11 -161.6 M
gsave
0 setgray
newpath
11.0 -161.569992 2.75 0 360 arc
closepath
fill
grestore
22 -165.2 M
0.296185672 0 32 0 0 (If the client has previously sent a request to the same URI, and if it remembers the authentication) A
22 -178.4 M
(realm requested by 401-INIT messages at that time, use that realm. ) S
11 -189 M
gsave
0 setgray
newpath
11.0 -188.969986 2.75 0 360 arc
closepath
fill
grestore
22 -192.6 M
2.12535501 0 32 0 0 (In other cases, use one of authentication realms representing the most-specific authentication) A
22 -205.8 M
2.33503604 0 32 0 0 (domains. From the list of possible domain specifications shown above, each one earlier has) A
22 -219 M
(priority over ones described after that. ) S
22 -232.2 M
2.12860584 0 32 0 0 (If there are several choices with different domain-postfix specifications, the one that has the) A
22 -245.4 M
(longest domain-postfix has priority over ones with a shorter domain-postfix. ) S
11 -256 M
gsave
0 setgray
newpath
11.0 -255.969971 2.75 0 360 arc
closepath
fill
grestore
22 -259.6 M
1.19192708 0 32 0 0 (If there are realms with the same authentication domain, there is no defined priority: the client) A
22 -272.8 M
(MAY choose any one of the possible choices. ) S
0 -297 M
1.00641739 0 32 0 0 (If possible, server operators are encouraged to avoid such ambiguities by properly setting the "path") A
0 -310.2 M
(parameters. ) S
0 -321.2 M
[/View [/XYZ -4 435.8 null] /Dest /64 /DEST pdfmark
0 -321.2 M
[/View [/XYZ -4 435.8 null] /Dest /65 /DEST pdfmark
0 -340.2 M
15 2 Nf
(6.) S
[/View [/XYZ -4 434.8 null] /Dest /195 /DEST pdfmark
( Session ) S
(Management) S
0 -364.4 M
11 0 Nf
2.62304688 0 32 0 0 (In the Mutual authentication protocol, a session represented by an sid is set up using first four) A
0 -377.6 M
4.08842325 0 32 0 0 (messages \(first request, 401-INIT, req-KEX-C1 and 401-KEX-S1\), and a "session secret" \(z\)) A
0 -390.8 M
1.02656245 0 32 0 0 (associated with the session is established. After sharing a session secret, this session, along with the) A
0 -404 M
1.21571183 0 32 0 0 (secret, can be used for one or more requests for resources protected by the same realm in the same) A
0 -417.2 M
0.293887854 0 32 0 0 (server. Note that session management is only an inside detail of the protocol and usually not visible to) A
0 -430.4 M
1.39933896 0 32 0 0 (normal users. If a session expires, the client and server SHOULD automatically reestablish another) A
0 -443.6 M
(session without informing the users. ) S
0 -467.8 M
0.868896484 0 32 0 0 (Sessions and session identifiers are local to each server \(defined by scheme, host and port\) inside an) A
0 -481 M
1.94348955 0 32 0 0 (authentication domain; the clients MUST establish separate sessions for each port of a host to be) A
0 -494.2 M
1.84705532 0 32 0 0 (accessed. Furthermore, sessions and identifiers are also local to each authentication realm, even if) A
0 -507.4 M
0.690290153 0 32 0 0 (these are provided from the same servers. The same session identifiers provided either from different) A
0 -520.6 M
(servers or for different realms SHOULD be treated as independent ones. ) S
0 -544.8 M
1.07083333 0 32 0 0 (The server SHOULD accept at least one req-VFY-C request for each session, given that the request) A
0 -558 M
0.621875 0 32 0 0 (reaches the server in a time window specified by the timeout parameter in the 401-KEX-S1 message,) A
0 -571.2 M
0.423483461 0 32 0 0 (and that there are no emergent reasons \(such as flooding attacks\) to forget the sessions. After that, the) A
0 -584.4 M
0.0294270832 0 32 0 0 (server MAY discard any session at any time and MAY send 401-STALE messages for any req-VFY-C) A
0 -597.6 M
(requests. ) S
0 -621.8 M
0.78010112 0 32 0 0 (The client MAY send two or more requests using a single session specified by the sid. However, for) A
0 -635 M
3.39088535 0 32 0 0 (all such requests, each value of the nonce \(in the nc parameter\) MUST satisfy the following) A
0 -648.2 M
(conditions: ) S
0 -648.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 18 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 19 19
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -9.6 M
gsave
0 setgray
newpath
11.0 -9.57000065 2.75 0 360 arc
closepath
fill
grestore
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(It is a natural number. ) S
11 -23.8 M
gsave
0 setgray
newpath
11.0 -23.77 2.75 0 360 arc
closepath
fill
grestore
22 -27.4 M
(The same nonce was not sent within the same session. ) S
11 -38 M
gsave
0 setgray
newpath
11.0 -37.97 2.75 0 360 arc
closepath
fill
grestore
22 -41.6 M
0.619574666 0 32 0 0 (It is not larger than the nc-max value that was sent from the server in the session represented by) A
22 -54.8 M
(the sid. ) S
11 -65.4 M
gsave
0 setgray
newpath
11.0 -65.37 2.75 0 360 arc
closepath
fill
grestore
22 -69 M
0.374267578 0 32 0 0 (It is larger than \(largest-nc - nc-window\), where largest-nc is the maximal value of nc which was) A
22 -82.2 M
0.00807291642 0 32 0 0 (previously sent in the session, and nc-window is the value of the nc-window parameter which was) A
22 -95.4 M
(received from the server in the ) S
(session.) S
0 -119.6 M
1.14375 0 32 0 0 (The last condition allows servers to reject any nonce values that are "significantly" smaller than the) A
0 -132.8 M
0.0197610296 0 32 0 0 ("current" value \(defined by the value of nc-window\) of the nonce used in the session involved. In other) A
0 -146 M
2.6373198 0 32 0 0 (words, servers MAY treat such nonces as "already received". This restriction enables servers to) A
0 -159.2 M
(implement duplicated nonce detection in a constant amount of memory \(for each session\). ) S
0 -183.4 M
1.3338542 0 32 0 0 (Servers MUST check for duplication of the received nonces, and if any duplication is detected, the) A
0 -196.6 M
0.596819222 0 32 0 0 (server MUST discard the session and respond with a 401-STALE message, as outlined in ) A
gsave
newpath
404.5 -197.7 M
46.7382812 0 RL
stroke
grestore
0.596819222 0 32 0 0 (Section\24010) A
[/Rect [403.46875 -199.349976 452.207031 -187.249969] /Subtype /Link /Border [0 0 0] /Dest /73 /ANN pdfmark
0.596819222 0 32 0 0 (.) A
0 -209.8 M
1.84228516 0 32 0 0 (The server MAY also reject other invalid nonce values \(such as ones above the nc-max limit\) by) A
0 -223 M
(sending a 401-STALE message. ) S
0 -247.2 M
1.22886026 0 32 0 0 (For example, assume the nc-window value of the current session is 32, nc-max is 100, and that the) A
0 -260.4 M
1.6854167 0 32 0 0 (client has already used the following nonce values: {1-20, 22, 24, 30-38, 45-60, 63-72}. Then the) A
0 -273.6 M
0.115885414 0 32 0 0 (nonce values that can be used for next request is one of the following set: {41-44, 61-62, 73-100}. The) A
0 -286.8 M
0.100694448 0 32 0 0 (values {0, 21, 23, 25-29, 39-40} MAY be rejected by the server because they are not above the current) A
0 -300 M
("window limit" \(40 = 72 - 32\). ) S
0 -324.2 M
0.903320312 0 32 0 0 (Typically, clients can ensure the above property by using a monotonically-increasing integer counter) A
0 -337.4 M
(that counts from zero upto the value of nc-max. ) S
0 -361.6 M
1.04947913 0 32 0 0 (The values of the nonces and any nonce-related values MUST always be treated as natural numbers) A
0 -374.8 M
3.52695322 0 32 0 0 (within an infinite range. Implementations using fixed-width integers or fixed-precision floating) A
0 -388 M
4.87226582 0 32 0 0 (numbers MUST correctly and carefully handle integer overflows. Such implementations are) A
0 -401.2 M
1.16346157 0 32 0 0 (RECOMMENDED to accept any larger values that cannot be represented in the fixed-width integer) A
0 -414.4 M
0.185825899 0 32 0 0 (representations, as long as other limits such as internal header-length restrictions are not involved. The) A
0 -427.6 M
1.29140627 0 32 0 0 (protocol is designed carefully so that both the clients and servers can implement the protocol using) A
0 -440.8 M
(only fixed-width integers, by rounding any overflowed values to the maximum possible value. ) S
0 -451.8 M
[/View [/XYZ -4 305.19989 null] /Dest /66 /DEST pdfmark
0 -451.8 M
[/View [/XYZ -4 305.19989 null] /Dest /67 /DEST pdfmark
0 -470.8 M
%%IncludeResource: font Times-Bold
15 2 Nf
(7.) S
[/View [/XYZ -4 304.19989 null] /Dest /196 /DEST pdfmark
( Validation ) S
(Methods) S
0 -495 M
11 0 Nf
1.56730771 0 32 0 0 (The "validation method" specifies a method to "relate" the mutual authentication processed by this) A
0 -508.2 M
3.67773438 0 32 0 0 (protocol with other authentications already performed in the underlying layers and to prevent) A
0 -521.4 M
(man-in-the-middle attacks. It decides the value v that is an input to the authentication protocols. ) S
0 -545.6 M
(The valid tokens for the validation parameter and corresponding values of v are as follows: ) S
11 -569.8 M
(host: ) S
33 -583 M
3.60216355 0 32 0 0 (hostname validation: The value v will be the ASCII string in the following format:) A
33 -596.2 M
0.1796875 0 32 0 0 ("<scheme>://<host>:<port>", where <scheme>, <host>, and <port> are the URI components) A
33 -609.4 M
1.13378906 0 32 0 0 (corresponding to the currently accessing resource. The scheme and host are in lower-case,) A
33 -622.6 M
0.447509766 0 32 0 0 (and the port is in a shortest decimal representation. Even if the request-URI does not have a) A
33 -635.8 M
(port part, v will include one. ) S
33 -635.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 19 -) S
0 setgray
22 -8 M
grestore
pgsave restore N
%%Page: 20 20
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(tls-cert: ) S
33 -26.4 M
0.133501843 0 32 0 0 (TLS certificate validation: The value v will be the octet string of the hash value of the public) A
33 -39.6 M
0.572115362 0 32 0 0 (key certificate used in the underlying ) A
gsave
newpath
202.6 -40.7 M
19.5507812 0 RL
stroke
grestore
0.572115362 0 32 0 0 (TLS) A
[/Rect [201.5625 -42.3500023 223.113281 -30.2500019] /Subtype /Link /Border [0 0 0] /Dest /112 /ANN pdfmark
0.572115362 0 32 0 0 ( [RFC5246] \(or SSL\) connection. The hash value) A
33 -52.8 M
3.90564895 0 32 0 0 (is defined as the value of the entire signed certificate \(specified as "Certificate" in ) A
33 -66 M
gsave
newpath
33 -67.1 M
50.1054688 0 RL
stroke
grestore
([RFC5280]) S
[/Rect [32.0 -68.75 84.1054688 -56.65] /Subtype /Link /Border [0 0 0] /Dest /126 /ANN pdfmark
(\), hashed by the hash algorithm specified by the authentication algorithm used. ) S
11 -79.2 M
(tls-key: ) S
33 -92.4 M
0.926041663 0 32 0 0 (TLS shared-key validation: The value v will be the octet string of the shared master secret) A
33 -105.6 M
(negotiated in the underlying TLS \(or SSL\) ) S
(connection.) S
0 -129.8 M
0.083984375 0 32 0 0 (If the HTTP protocol is used on a non-encrypted channel \(TCP and SCTP, for example\), the validation) A
0 -143 M
0.153738841 0 32 0 0 (type MUST be "host". If ) A
gsave
newpath
111.8 -144.1 M
50.0976562 0 RL
stroke
grestore
0.153738841 0 32 0 0 (HTTP/TLS) A
[/Rect [110.753906 -145.749985 162.851562 -133.649979] /Subtype /Link /Border [0 0 0] /Dest /123 /ANN pdfmark
0.153738841 0 32 0 0 ( [RFC2818] \(HTTPS\) protocol is used with the server certificates,) A
0 -156.2 M
1.90807295 0 32 0 0 (the validation type MUST be either "tls-cert" or "tls-key". If HTTP/TLS protocol is used with an) A
0 -169.4 M
0.00210336549 0 32 0 0 (anonymous Diffie-Hellman key exchange, the validation type MUST be "tls-key" \(see the note below\). ) A
0 -193.6 M
1.08255208 0 32 0 0 (If the validation type "tls-cert" is used, the server certificate provided on TLS connection MUST be) A
0 -206.8 M
(verified to make sure that the server actually owns the corresponding secret key. ) S
0 -231 M
(Clients MUST validate this parameter upon reception of the 401-INIT messages. ) S
0 -255.2 M
2.49693084 0 32 0 0 (However, when the client is a Web browser with any scripting capabilities, the underlying TLS) A
0 -268.4 M
3.75260425 0 32 0 0 (channel used with HTTP/TLS MUST provide server identity verification. This means \(1\) the) A
0 -281.6 M
0.471028656 0 32 0 0 (anonymous Diffie-Hellman key exchange ciphersuite MUST\240NOT be used, and \(2\) the verification of) A
0 -294.8 M
(the server certificate provided from the server MUST be performed. ) S
0 -319 M
1.07728791 0 32 0 0 (For other systems, when the underlying TLS channel used with HTTP/TLS does not perform server) A
0 -332.2 M
0.773995519 0 32 0 0 (identity verification, the client SHOULD ensure that all the responses are validated using the Mutual) A
0 -345.4 M
(authentication protocol, regardless of the existence of the 401-INIT responses. ) S
0 -369.6 M
0.655413 0 32 0 0 (Note: The protocol defines two variants for validation on the TLS connections. The "tls-key" method) A
0 -382.8 M
(is more secure. However, there are some situations where tls-cert is more ) S
(preferable.) S
11 -403.4 M
gsave
0 setgray
newpath
11.0 -403.370056 2.75 0 360 arc
closepath
fill
grestore
22 -407 M
0.297135413 0 32 0 0 (When TLS accelerating proxies are used, it is difficult for the authenticating server to acquire the) A
22 -420.2 M
2.09099269 0 32 0 0 (TLS key information that is used between the client and the proxy. This is not the case for) A
22 -433.4 M
(client-side "tunneling" proxies using a CONNECT method extension of HTTP. ) S
11 -444 M
gsave
0 setgray
newpath
11.0 -443.970093 2.75 0 360 arc
closepath
fill
grestore
22 -447.6 M
(When a black-box implementation of the TLS protocol is used on either peer. ) S
0 -471.8 M
0.869673312 0 32 0 0 (Implementations supporting a Mutual authentication over the HTTPS protocol SHOULD support the) A
0 -485 M
("tls-cert" validation. Support for "tls-key" validation is OPTIONAL for both the servers and clients. ) S
0 -496 M
[/View [/XYZ -4 260.999878 null] /Dest /68 /DEST pdfmark
0 -496 M
[/View [/XYZ -4 260.999878 null] /Dest /69 /DEST pdfmark
0 -515 M
%%IncludeResource: font Times-Bold
15 2 Nf
(8.) S
[/View [/XYZ -4 259.999878 null] /Dest /197 /DEST pdfmark
( Authentication ) S
(Extensions) S
0 -539.2 M
11 0 Nf
0.292613626 0 32 0 0 (The HTTP authentication extensions described in ) A
gsave
newpath
222.3 -540.3 M
135.890625 0 RL
stroke
grestore
0.292613626 0 32 0 0 ([I-D.oiwa-http-auth-extension]) A
[/Rect [221.257812 -541.950134 359.148438 -529.850159] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
0.292613626 0 32 0 0 ( is a definitive part of) A
0 -552.4 M
0.900923312 0 32 0 0 (this protocol. Interactive clients \(e.g. Web browsers\) supporting this protocol are RECOMMENDED) A
0 -565.6 M
0.778125 0 32 0 0 (to support non-mandatory authentication and the Authentication-Control header defined there, except) A
0 -578.8 M
4.74023438 0 32 0 0 (the "auth-style" parameter. This specification also proposes \(however, not mandates\) default) A
0 -592 M
0.425455719 0 32 0 0 ("auth-style" to be "non-modal". Web applications SHOULD however consider the security impacts of) A
0 -605.2 M
(the behaviors of clients that do not support these headers. ) S
0 -629.4 M
2.23681641 0 32 0 0 (Authentication-initializing messages with the Optional-WWW-Authenticate header are used where) A
0 -642.6 M
0.577288 0 32 0 0 (401-INIT response is valid. Such a message is called a 200-Optional-INIT message in this document.) A
0 -655.8 M
(\(It will not replace other 401-type messages such as 401-STALE and 401-KEX-S1.\) ) S
0 -655.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 20 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 21 21
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /70 /DEST pdfmark
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /71 /DEST pdfmark
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(9.) S
[/View [/XYZ -4 757.0 null] /Dest /198 /DEST pdfmark
( Decision Procedure for ) S
(Clients) S
0 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.688058 0 32 0 0 (To securely implement the protocol, the user client must be careful about accepting the authenticated) A
0 -55.4 M
1.74916291 0 32 0 0 (responses from the server. This also holds true for the reception of "normal responses" \(responses) A
0 -68.6 M
(which do not contain Mutual-related headers\) from HTTP servers. ) S
0 -92.8 M
3.08919263 0 32 0 0 (Clients SHOULD implement a decision procedure equivalent to the one shown below. \(Unless) A
0 -106 M
1.42940843 0 32 0 0 (implementers understand what is required for the security, they should not alter this.\) In particular,) A
0 -119.2 M
0.892578125 0 32 0 0 (clients SHOULD\240NOT accept "normal responses" unless explicitly allowed below. The labels on the) A
0 -132.4 M
0.119977675 0 32 0 0 (steps are for informational purposes only. Action entries within each step are checked in top-to-bottom) A
0 -145.6 M
(order, and the first clause satisfied SHOULD be taken. ) S
11 -169.8 M
(Step 1 \(step_new_request\): ) S
33 -183 M
1.3976562 0 32 0 0 (If the client software needs to access a new Web resource, check whether the resource is) A
33 -196.2 M
3.08894229 0 32 0 0 (expected to be inside some authentication realm for which the user has already been) A
33 -209.4 M
1.35993302 0 32 0 0 (authenticated by the Mutual authentication scheme. If yes, go to Step 2. Otherwise, go to) A
33 -222.6 M
(Step 5. ) S
11 -235.8 M
(Step 2: ) S
33 -249 M
0.988020837 0 32 0 0 (Check whether there is an available sid for the authentication realm you expect. If there is) A
33 -262.2 M
(one, go to Step 3. Otherwise, go to Step 4. ) S
11 -275.4 M
(Step 3 \(step_send_vfy_1\): ) S
33 -288.6 M
(Send a req-VFY-C request. ) S
44 -299.2 M
gsave
0 setgray
newpath
44.0 -299.17 2.75 0 360 arc
closepath
fill
grestore
55 -302.8 M
0.395833343 0 32 0 0 (If you receive a 401-INIT message with a different authentication realm than expected,) A
55 -316 M
(go to Step 6. ) S
44 -326.6 M
gsave
0 setgray
newpath
44.0 -326.570038 2.75 0 360 arc
closepath
fill
grestore
55 -330.2 M
0.653409064 0 32 0 0 (If you receive a 200-Optional-INIT message with a different authentication realm than) A
55 -343.4 M
(expected, go to Step 6. ) S
44 -354 M
gsave
0 setgray
newpath
44.0 -353.970062 2.75 0 360 arc
closepath
fill
grestore
55 -357.6 M
(If you receive a 401-STALE message, go to Step 9. ) S
44 -368.2 M
gsave
0 setgray
newpath
44.0 -368.170074 2.75 0 360 arc
closepath
fill
grestore
55 -371.8 M
(If you receive a 401-INIT message, go to Step 13. ) S
44 -382.4 M
gsave
0 setgray
newpath
44.0 -382.370087 2.75 0 360 arc
closepath
fill
grestore
55 -386 M
(If you receive a 200-VFY-S message, go to Step 14. ) S
44 -396.6 M
gsave
0 setgray
newpath
44.0 -396.570099 2.75 0 360 arc
closepath
fill
grestore
55 -400.2 M
(If you receive a normal response, go to Step ) S
(11.) S
11 -413.4 M
(Step 4 \(step_send_kex1_1\): ) S
33 -426.6 M
(Send a req-KEX-C1 request. ) S
44 -437.2 M
gsave
0 setgray
newpath
44.0 -437.170135 2.75 0 360 arc
closepath
fill
grestore
55 -440.8 M
0.395833343 0 32 0 0 (If you receive a 401-INIT message with a different authentication realm than expected,) A
55 -454 M
(go to Step 6. ) S
44 -464.6 M
gsave
0 setgray
newpath
44.0 -464.57016 2.75 0 360 arc
closepath
fill
grestore
55 -468.2 M
0.653409064 0 32 0 0 (If you receive a 200-Optional-INIT message with a different authentication realm than) A
55 -481.4 M
(expected, go to Step 6. ) S
44 -492 M
gsave
0 setgray
newpath
44.0 -491.970184 2.75 0 360 arc
closepath
fill
grestore
55 -495.6 M
(If you receive a 401-KEX-S1 message, go to Step 10. ) S
44 -506.2 M
gsave
0 setgray
newpath
44.0 -506.170197 2.75 0 360 arc
closepath
fill
grestore
55 -509.8 M
0.990792394 0 32 0 0 (If you receive a 401-INIT message with the same authentication realm, go to Step 13) A
55 -523 M
(\(see Note 1\). ) S
44 -533.6 M
gsave
0 setgray
newpath
44.0 -533.57019 2.75 0 360 arc
closepath
fill
grestore
55 -537.2 M
(If you receive a normal response, go to Step ) S
(11.) S
11 -550.4 M
(Step 5 \(step_send_normal_1\): ) S
33 -563.6 M
(Send a request without any Mutual authentication headers. ) S
44 -574.2 M
gsave
0 setgray
newpath
44.0 -574.170227 2.75 0 360 arc
closepath
fill
grestore
55 -577.8 M
(If you receive a 401-INIT message, go to Step 6. ) S
44 -588.4 M
gsave
0 setgray
newpath
44.0 -588.370239 2.75 0 360 arc
closepath
fill
grestore
55 -592 M
(If you receive a 200-Optional-INIT message, go to Step 6. ) S
44 -602.6 M
gsave
0 setgray
newpath
44.0 -602.570251 2.75 0 360 arc
closepath
fill
grestore
55 -606.2 M
(If you receive a normal response, go to Step ) S
(11.) S
11 -619.4 M
(Step 6 \(step_rcvd_init\): ) S
33 -632.6 M
0.41015625 0 32 0 0 (Check whether you know the user's password for the requested authentication realm. If yes,) A
33 -645.8 M
(go to Step 7. Otherwise, go to Step 12. ) S
33 -645.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 21 -) S
0 setgray
22 -8 M
grestore
pgsave restore N
%%Page: 22 22
%%PageResources: font Times-Roman Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(Step 7: ) S
33 -26.4 M
0.988020837 0 32 0 0 (Check whether there is an available sid for the authentication realm you expect. If there is) A
33 -39.6 M
(one, go to Step 8. Otherwise, go to Step 9. ) S
11 -52.8 M
(Step 8 \(step_send_vfy\): ) S
33 -66 M
(Send a req-VFY-C request. ) S
44 -76.6 M
gsave
0 setgray
newpath
44.0 -76.57 2.75 0 360 arc
closepath
fill
grestore
55 -80.2 M
(If you receive a 401-STALE message, go to Step 9. ) S
44 -90.8 M
gsave
0 setgray
newpath
44.0 -90.77 2.75 0 360 arc
closepath
fill
grestore
55 -94.4 M
(If you receive a 401-INIT message, go to Step 13. ) S
44 -105 M
gsave
0 setgray
newpath
44.0 -104.969994 2.75 0 360 arc
closepath
fill
grestore
55 -108.6 M
(If you receive a 200-VFY-S message, go to Step ) S
(14.) S
11 -121.8 M
(Step 9 \(step_send_kex1\): ) S
33 -135 M
(Send a req-KEX-C1 request. ) S
44 -145.6 M
gsave
0 setgray
newpath
44.0 -145.569992 2.75 0 360 arc
closepath
fill
grestore
55 -149.2 M
(If you receive a 401-KEX-S1 message, go to Step 10. ) S
44 -159.8 M
gsave
0 setgray
newpath
44.0 -159.769989 2.75 0 360 arc
closepath
fill
grestore
55 -163.4 M
(If you receive a 401-INIT message, go to Step 13 \(See Note ) S
(1\).) S
11 -176.6 M
(Step 10 \(step_rcvd_kex1\): ) S
33 -189.8 M
(Send a req-VFY-C request. ) S
44 -200.4 M
gsave
0 setgray
newpath
44.0 -200.36998 2.75 0 360 arc
closepath
fill
grestore
55 -204 M
(If you receive a 401-INIT message, go to Step 13. ) S
44 -214.6 M
gsave
0 setgray
newpath
44.0 -214.569977 2.75 0 360 arc
closepath
fill
grestore
55 -218.2 M
(If you receive a 200-VFY-S message, go to Step ) S
(14.) S
11 -231.4 M
(Step 11 \(step_rcvd_normal\): ) S
33 -244.6 M
4.3088727 0 32 0 0 (The requested resource is out of the authenticated area. The client will be in the) A
33 -257.8 M
0.308203131 0 32 0 0 ("UNAUTHENTICATED" status. If the response contains a request for authentications other) A
33 -271 M
(than Mutual, it MAY be handled normally. ) S
11 -284.2 M
(Step 12 \(step_rcvd_init_unknown\): ) S
33 -297.4 M
5.07682276 0 32 0 0 (The requested resource requires a Mutual authentication, and the user is not yet) A
33 -310.6 M
7.17734385 0 32 0 0 (authenticated. The client will be in the "AUTH-REQUESTED" status, and is) A
33 -323.8 M
1.31145835 0 32 0 0 (RECOMMENDED to process the content sent from the server, and to ask user for a user) A
33 -337 M
(name and a password. When those are supplied from the user, proceed to Step 9. ) S
11 -350.2 M
(Step 13 \(step_rcvd_init_failed\): ) S
33 -363.4 M
0.689903855 0 32 0 0 (For some reason the authentication failed: possibly the password or the username is invalid) A
33 -376.6 M
1.28004813 0 32 0 0 (for the authenticated resource. Forget the password for the authentication realm and go to) A
33 -389.8 M
(Step 12. ) S
11 -403 M
(Step 14 \(step_rcvd_vfy\): ) S
33 -416.2 M
11 0 Nf
0.790096521 0 32 0 0 (Check the validity of the received ) A
0.790096521 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.790096521 0 32 0 0 (s) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.790096521 0 32 0 0 ( value. If it is equal to the expected value, it means) A
0.0 -2.2 RM
33 -431.6 M
9.39595127 0 32 0 0 (that the mutual authentication has succeeded. The client will be in the) A
33 -444.8 M
("AUTH-SUCCEEDED" status. ) S
33 -458 M
(If the value is unexpected, it is a fatal communication error. ) S
33 -471.2 M
0.143798828 0 32 0 0 (If a user explicitly requests to log out \(via user interfaces\), the client MUST forget the user's) A
33 -484.4 M
(password, go to step 5 and reload the current resource without an authentication header. ) S
11 -497.6 M
(Note 1: ) S
33 -510.8 M
1.1484375 0 32 0 0 (These transitions MAY be accepted by clients, but NOT\240RECOMMENDED for servers to ) A
33 -524 M
(initiate.) S
0 -548.2 M
1.1690104 0 32 0 0 (Any kind of response \(including a normal response\) other than those shown in the above procedure) A
0 -561.4 M
1.49469864 0 32 0 0 (SHOULD be interpreted as a fatal communication error, and in such cases the clients MUST\240NOT) A
0 -574.6 M
0.624442 0 32 0 0 (process any data \(response body and other content-related headers\) sent from the server. However, to) A
0 -587.8 M
0.473632812 0 32 0 0 (handle exceptional error cases, clients MAY accept a message without an Authentication-Info header,) A
0 -601 M
0.842773438 0 32 0 0 (if it is a Server-Error \(5xx\) status. The client will be in the "UNAUTHENTICATED" status in these) A
0 -614.2 M
(cases. ) S
0 -638.4 M
0.683072925 0 32 0 0 (The client software SHOULD display the three client status to the end-user. For an interactive client,) A
0 -651.6 M
0.412109375 0 32 0 0 (however, if a request is a sub-request for a resource included in another page \(e.g., embedded images,) A
0 -664.8 M
7.83323336 0 32 0 0 (style sheets, frames etc.\), its status MAY be omitted from being shown, and any) A
0 -664.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 22 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 23 23
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.51953125 0 32 0 0 ("AUTH-REQUESTED" statuses MAY be treated in the same way as an "UNAUTHENTICATED") A
0 -26.4 M
11 0 Nf
(status. ) S
0 -50.6 M
gsave
newpath
0 -51.7 M
36.9609375 0 RL
stroke
grestore
(Figure\2405) S
[/Rect [-1.0 -53.3500023 37.9609375 -41.25] /Subtype /Link /Border [0 0 0] /Dest /72 /ANN pdfmark
( shows a diagram of the client-side state. ) S
0 -61.6 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -72.6 M
[/View [/XYZ -4 684.4 null] /Dest /72 /DEST pdfmark
0 -466.6 M
gsave
0.0 -466.6 translate
/IS 1 D
save
0 0 M
IS IS scale
/showpage {}D
-71 -427 translate
/tgifdict 53 dict def
tgifdict begin
/tgifarrowtipdict 8 dict def
tgifarrowtipdict /mtrx matrix put
/TGAT % tgifarrowtip
{ tgifarrowtipdict begin
/dy exch def
/dx exch def
/h exch def
/w exch def
/y exch def
/x exch def
/savematrix mtrx currentmatrix def
x y translate
dy dx atan rotate
0 0 moveto
w neg h lineto
w neg h neg lineto
savematrix setmatrix
end
} def
/TGMAX
{ exch dup 3 1 roll exch dup 3 1 roll gt { pop } { exch pop } ifelse
} def
/TGMIN
{ exch dup 3 1 roll exch dup 3 1 roll lt { pop } { exch pop } ifelse
} def
/TGSW { stringwidth pop } def
/bd { bind def } bind def
/GS { gsave } bd
/GR { grestore } bd
/NP { newpath } bd
/CP { closepath } bd
/CHP { charpath } bd
/CT { curveto } bd
/L { lineto } bd
/RL { rlineto } bd
/M { moveto } bd
/RM { rmoveto } bd
/S { stroke } bd
/F { fill } bd
/TR { translate } bd
/RO { rotate } bd
/SC { scale } bd
/MU { mul } bd
/DI { div } bd
/DU { dup } bd
/NE { neg } bd
/AD { add } bd
/SU { sub } bd
/PO { pop } bd
/EX { exch } bd
/CO { concat } bd
/CL { clip } bd
/EC { eoclip } bd
/EF { eofill } bd
/IM { image } bd
/IMM { imagemask } bd
/ARY { array } bd
/SG { setgray } bd
/RG { setrgbcolor } bd
/SD { setdash } bd
/W { setlinewidth } bd
/SM { setmiterlimit } bd
/SLC { setlinecap } bd
/SLJ { setlinejoin } bd
/SH { show } bd
/FF { findfont } bd
/MS { makefont setfont } bd
/AR { arcto 4 {pop} repeat } bd
/CURP { currentpoint } bd
/FLAT { flattenpath strokepath clip newpath } bd
/TGSM { tgiforigctm setmatrix } def
/TGRM { savematrix setmatrix } def
end
tgifdict begin
/tgifsavedpage save def
1 SM
1 W
0 SG
72 0 MU 72 11.602 MU TR
72 128 DI 100.000 MU 100 DI DU NE SC
GS
/tgiforigctm matrix currentmatrix def
NP
0 SG
GS
1 W
250 45 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NEW REQUEST) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NEW REQUEST) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
NP
250 95 M
180 125 L
250 155 L
320 125 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
250 120 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(the requested URI) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(the requested URI) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(known to be authed?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(known to be authed?) SH
GR
GR
0 SG
GS
NP
250 50 M
45 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 95 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 95 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
250 95 8.000 3.000 0 45 TGAT
CP F
GR
0 SG
GS
GS
NP
684 100 M
700 100 700 150 16 AR
700 134 L
700 150 600 150 16 AR
616 150 L
600 150 600 100 16 AR
600 116 L
600 100 700 100 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
650 120 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(normal request) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(normal request) SH
GR
GR
0 SG
GS
NP
600 105 M
-35 -55 atan DU cos 8.000 MU 545 exch SU
exch sin 8.000 MU 70 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
545 70 8.000 3.000 -55 -35 TGAT
1 SG CP F
0 SG
NP
545 70 8.000 3.000 -55 -35 TGAT
CP F
GR
NP
0 SG
GS
1 W
480 75 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
320 125 M
0 280 atan DU cos 8.000 MU 600 exch SU
exch sin 8.000 MU 125 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
600 125 8.000 3.000 280 0 TGAT
1 SG CP F
0 SG
NP
600 125 8.000 3.000 280 0 TGAT
CP F
GR
NP
0 SG
GS
1 W
535 100 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal response) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal response) SH
GR
GR
0 SG
NP
650 195 M
580 225 L
650 255 L
720 225 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
650 220 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(user/pass) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(user/pass) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(known?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(known?) SH
GR
GR
0 SG
GS
NP
650 150 M
45 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 195 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 195 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
650 195 8.000 3.000 0 45 TGAT
CP F
GR
NP
0 SG
GS
1 W
655 165 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-INIT) SH
GR
0 15 RM
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-Optional-INIT) SH
GR
GR
0 SG
GS
NP
590 230 M
25 -55 atan DU cos 8.000 MU 535 exch SU
exch sin 8.000 MU 255 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
535 255 8.000 3.000 -55 25 TGAT
1 SG CP F
0 SG
NP
535 255 8.000 3.000 -55 25 TGAT
CP F
GR
NP
0 SG
GS
1 W
475 260 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
NP
0 SG
GS
1 W
570 230 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
NP
0 SG
GS
1 W
330 120 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
0 SG
NP
250 295 M
180 325 L
250 355 L
320 325 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
250 320 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) SH
GR
GR
0 SG
GS
NP
250 155 M
140 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 295 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 295 8.000 3.000 0 140 TGAT
1 SG CP F
0 SG
NP
250 295 8.000 3.000 0 140 TGAT
CP F
GR
0 SG
GS
GS
NP
284 400 M
300 400 300 450 16 AR
300 434 L
300 450 200 450 16 AR
216 450 L
200 450 200 400 16 AR
200 416 L
200 400 300 400 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
250 420 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-VFY-C) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-VFY-C) SH
GR
GR
0 SG
GS
NP
250 355 M
45 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 400 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 400 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
250 400 8.000 3.000 0 45 TGAT
CP F
GR
NP
0 SG
GS
1 W
190 715 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(UNAUTHENTICATED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
200 430 M
180 480 L
215 0 atan DU cos 8.000 MU 180 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
180 695 8.000 3.000 0 215 TGAT
1 SG CP F
0 SG
NP
180 695 8.000 3.000 0 215 TGAT
CP F
GR
NP
0 SG
GS
1 W
225 640 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal resonse) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(normal resonse) SH
GR
GR
0 SG
GS
NP
300 425 M
0 90 atan DU cos 8.000 MU 390 exch SU
exch sin 8.000 MU 425 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
390 425 8.000 3.000 90 0 TGAT
1 SG CP F
0 SG
NP
390 425 8.000 3.000 90 0 TGAT
CP F
GR
NP
0 SG
GS
1 W
345 420 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-INIT) SH
GR
GR
NP
0 SG
GS
1 W
450 430 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) TGSW
AD
/Times-Roman FF [12 0 0 -12 0 0] MS
(:) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_REQUESTED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(:) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(forget password) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(forget password) SH
GR
GR
0 SG
GS
NP
180 325 M
180 460 L
250 480 L
20 0 atan DU cos 8.000 MU 250 exch SU
exch sin 8.000 MU 500 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
250 500 8.000 3.000 0 20 TGAT
1 SG CP F
0 SG
NP
250 500 8.000 3.000 0 20 TGAT
CP F
GR
0 SG
GS
GS
NP
284 500 M
300 500 300 550 16 AR
300 534 L
300 550 200 550 16 AR
216 550 L
200 550 200 500 16 AR
200 516 L
200 500 300 500 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
250 520 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-KEX-C1) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-KEX-C1) SH
GR
GR
NP
0 SG
GS
1 W
170 335 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
0 SG
GS
NP
200 525 M
180 555 L
140 0 atan DU cos 8.000 MU 180 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
180 695 8.000 3.000 0 140 TGAT
1 SG CP F
0 SG
NP
180 695 8.000 3.000 0 140 TGAT
CP F
GR
0 SG
GS
NP
450 600 M
-150 0 atan DU cos 8.000 MU 450 exch SU
exch sin 8.000 MU 450 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
450 450 8.000 3.000 0 -150 TGAT
1 SG CP F
0 SG
NP
450 450 8.000 3.000 0 -150 TGAT
CP F
GR
NP
0 SG
GS
1 W
455 580 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-INIT) SH
GR
GR
NP
0 SG
GS
1 W
450 720 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_SUCCEED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(AUTH_SUCCEED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
250 550 M
80 150 atan DU cos 8.000 MU 400 exch SU
exch sin 8.000 MU 630 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
400 630 8.000 3.000 150 80 TGAT
1 SG CP F
0 SG
NP
400 630 8.000 3.000 150 80 TGAT
CP F
GR
0 SG
GS
NP
295 445 M
250 105 atan DU cos 8.000 MU 400 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
400 695 8.000 3.000 105 250 TGAT
1 SG CP F
0 SG
NP
400 695 8.000 3.000 105 250 TGAT
CP F
GR
NP
0 SG
GS
1 W
340 547 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-VFY-S) SH
GR
GR
NP
0 SG
GS
1 W
280 580 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-KEX-S1) TGSW
AD
GR
NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-KEX-S1) SH
GR
GR
0 SG
GS
GS
NP
484 600 M
500 600 500 650 16 AR
500 634 L
500 650 400 650 16 AR
416 650 L
400 650 400 600 16 AR
400 616 L
400 600 500 600 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
450 620 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-A3) SH
GR
GR
NP
0 SG
GS
1 W
455 662 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-VFY-S) SH
GR
GR
0 SG
GS
NP
450 650 M
45 0 atan DU cos 8.000 MU 450 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
450 695 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
450 695 8.000 3.000 0 45 TGAT
CP F
GR
0 SG
NP
650 295 M
580 325 L
650 355 L
720 325 L
CP
GS
GR
GS
S
GR
NP
0 SG
GS
1 W
650 320 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(session) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(available?) SH
GR
GR
0 SG
GS
GS
NP
684 400 M
700 400 700 450 16 AR
700 434 L
700 450 600 450 16 AR
616 450 L
600 450 600 400 16 AR
600 416 L
600 400 700 400 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
650 420 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-VFY-C) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-VFY-C) SH
GR
GR
0 SG
GS
NP
650 355 M
45 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 400 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 400 8.000 3.000 0 45 TGAT
1 SG CP F
0 SG
NP
650 400 8.000 3.000 0 45 TGAT
CP F
GR
0 SG
GS
GS
NP
684 500 M
700 500 700 550 16 AR
700 534 L
700 550 600 550 16 AR
616 550 L
600 550 600 500 16 AR
600 516 L
600 500 700 500 16 AR
CP
S
GR
GR
NP
0 SG
GS
1 W
650 520 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(send) SH
GR
0 15 RM
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-KEX-C1) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(req-KEX-C1) SH
GR
GR
0 SG
GS
NP
650 255 M
40 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 295 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 295 8.000 3.000 0 40 TGAT
1 SG CP F
0 SG
NP
650 295 8.000 3.000 0 40 TGAT
CP F
GR
NP
0 SG
GS
1 W
520 420 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-INIT) SH
GR
GR
0 SG
GS
NP
600 425 M
0 -90 atan DU cos 8.000 MU 510 exch SU
exch sin 8.000 MU 425 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
510 425 8.000 3.000 -90 0 TGAT
1 SG CP F
0 SG
NP
510 425 8.000 3.000 -90 0 TGAT
CP F
GR
0 SG
GS
NP
720 325 M
720 465 L
650 480 L
20 0 atan DU cos 8.000 MU 650 exch SU
exch sin 8.000 MU 500 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
650 500 8.000 3.000 0 20 TGAT
1 SG CP F
0 SG
NP
650 500 8.000 3.000 0 20 TGAT
CP F
GR
NP
0 SG
GS
1 W
620 580 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-KEX-S1) SH
GR
GR
0 SG
GS
NP
650 550 M
75 -150 atan DU cos 8.000 MU 500 exch SU
exch sin 8.000 MU 625 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
500 625 8.000 3.000 -150 75 TGAT
1 SG CP F
0 SG
NP
500 625 8.000 3.000 -150 75 TGAT
CP F
GR
0 SG
GS
NP
605 445 M
250 -105 atan DU cos 8.000 MU 500 exch SU
exch sin 8.000 MU 695 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
500 695 8.000 3.000 -105 250 TGAT
1 SG CP F
0 SG
NP
500 695 8.000 3.000 -105 250 TGAT
CP F
GR
NP
0 SG
GS
1 W
560 547 M
GS
GS
0
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-VFY-S) TGSW
AD
GR
NE 0 RM
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(200-VFY-S) SH
GR
GR
0 SG
GS
NP
300 440 M
65 305 atan DU cos 8.000 MU 605 exch SU
exch sin 8.000 MU 505 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
605 505 8.000 3.000 305 65 TGAT
1 SG CP F
0 SG
NP
605 505 8.000 3.000 305 65 TGAT
CP F
GR
0 SG
GS
NP
625 450 M
50 0 atan DU cos 8.000 MU 625 exch SU
exch sin 8.000 MU 500 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
625 500 8.000 3.000 0 50 TGAT
1 SG CP F
0 SG
NP
625 500 8.000 3.000 0 50 TGAT
CP F
GR
NP
0 SG
GS
1 W
350 475 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-STALE) SH
GR
GR
NP
0 SG
GS
1 W
630 465 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-STALE) SH
GR
GR
NP
0 SG
GS
1 W
730 320 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(NO) SH
GR
GR
NP
0 SG
GS
1 W
665 265 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
235 165 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
265 365 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
635 365 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(YES) SH
GR
GR
NP
0 SG
GS
1 W
775 45 M
GS
GS
0
/Times-Roman FF [12 0 0 -12 0 0] MS
(USER/PASS INPUTED) TGSW
AD
GR
2 DI NE 0 RM
0 SG
/Times-Roman FF [12 0 0 -12 0 0] MS
(USER/PASS INPUTED) DU TGSW EX SH
GS CURP M 0 2 RM NE 0 RL S GR
GR
GR
0 SG
GS
NP
780 50 M
780 470 L
35 -85 atan DU cos 8.000 MU 695 exch SU
exch sin 8.000 MU 505 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
695 505 8.000 3.000 -85 35 TGAT
1 SG CP F
0 SG
NP
695 505 8.000 3.000 -85 35 TGAT
CP F
GR
0 SG
GS
NP
295 405 M
330 355 L
330 180 L
0 325 atan DU cos 8.000 MU 655 exch SU
exch sin 8.000 MU 180 exch SU L
TGSM
1 W
S
GR
GS
TGSM
NP
655 180 8.000 3.000 325 0 TGAT
1 SG CP F
0 SG
NP
655 180 8.000 3.000 325 0 TGAT
CP F
GR
NP
0 SG
GS
1 W
345 160 M
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
(401-INIT, 200-Optional-INIT) SH
GR
0 15 RM
GS
0 SG
/Times-BoldItalic FF [12 0 0 -12 0 0] MS
( with different realm ) SH
GR
GR
0 SG
GS
NP
295 505 M
330 460 L
330 355 L
TGSM
1 W
S
GR
NP
0 SG
GS
1 W
195 105 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(1\)) SH
GR
GR
NP
0 SG
GS
1 W
200 325 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(2\)) SH
GR
GR
NP
0 SG
GS
1 W
210 415 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(3\)) SH
GR
GR
NP
0 SG
GS
1 W
210 515 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(4\)) SH
GR
GR
NP
0 SG
GS
1 W
610 115 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(5\)) SH
GR
GR
NP
0 SG
GS
1 W
605 330 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(7\)) SH
GR
GR
NP
0 SG
GS
1 W
610 415 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(8\)) SH
GR
GR
NP
0 SG
GS
1 W
610 515 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(9\)) SH
GR
GR
NP
0 SG
GS
1 W
600 230 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(6\)) SH
GR
GR
NP
0 SG
GS
1 W
390 75 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(11\)) SH
GR
GR
NP
0 SG
GS
1 W
130 695 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(11\)) SH
GR
GR
NP
0 SG
GS
1 W
415 240 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(12\)) SH
GR
GR
NP
0 SG
GS
1 W
395 410 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(13\)) SH
GR
GR
NP
0 SG
GS
1 W
410 615 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(10\)) SH
GR
GR
NP
0 SG
GS
1 W
410 700 M
GS
0 SG
/Helvetica FF [12 0 0 -12 0 0] MS
(\(14\)) SH
GR
GR
GR
tgifsavedpage restore
end
showpage
restore
grestore
400.0 0.0 RM
169 -489.5 M
%%IncludeResource: font Times-Bold
7.63889 2 Nf
(\240Figure\2405: State diagram for ) S
(clients\240) S
0 -503.4 M
gsave
0.6 setlinewidth
0 setgray
454.0 0 RL
stroke
grestore
0.0 -11.0 RM
0 -514.4 M
[/View [/XYZ -4 242.551392 null] /Dest /73 /DEST pdfmark
0 -514.4 M
[/View [/XYZ -4 242.551392 null] /Dest /74 /DEST pdfmark
0 -533.4 M
15 2 Nf
(10.) S
[/View [/XYZ -4 241.551392 null] /Dest /199 /DEST pdfmark
( Decision Procedure for ) S
(Servers) S
0 -557.6 M
11 0 Nf
0.0256076381 0 32 0 0 (Each server SHOULD have a table of session states. This table need not be persistent over a long term;) A
0 -570.8 M
0.69255513 0 32 0 0 (it MAY be cleared upon server restart, reboot, or others. Each entry in the table SHOULD contain at) A
0 -584 M
(least the following information: ) S
11 -604.6 M
gsave
0 setgray
newpath
11.0 -604.618652 2.75 0 360 arc
closepath
fill
grestore
22 -608.2 M
(The session identifier, the value of the sid parameter. ) S
11 -618.8 M
gsave
0 setgray
newpath
11.0 -618.818665 2.75 0 360 arc
closepath
fill
grestore
22 -622.4 M
(The algorithm used. ) S
11 -633 M
gsave
0 setgray
newpath
11.0 -633.018677 2.75 0 360 arc
closepath
fill
grestore
22 -636.6 M
(The authentication realm. ) S
11 -647.2 M
gsave
0 setgray
newpath
11.0 -647.218689 2.75 0 360 arc
closepath
fill
grestore
22 -650.8 M
(The state of the protocol: one of "key exchanging", "authenticated", "rejected", or "inactive". ) S
11 -661.4 M
gsave
0 setgray
newpath
11.0 -661.418701 2.75 0 360 arc
closepath
fill
grestore
22 -665 M
(The user name received from the client ) S
22 -666 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 23 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 24 24
%%PageResources: font Times-Roman Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
11 -9.6 M
gsave
0 setgray
newpath
11.0 -9.57000065 2.75 0 360 arc
closepath
fill
grestore
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
(The boolean flag noting whether or not the session is fake. ) S
11 -23.8 M
gsave
0 setgray
newpath
11.0 -23.77 2.75 0 360 arc
closepath
fill
grestore
22 -27.4 M
11 0 Nf
(When the state is "key exchanging", the values of ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( and ) S
(S) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(. ) S
0.0 -2.2 RM
11 -40.2 M
gsave
0 setgray
newpath
11.0 -40.170002 2.75 0 360 arc
closepath
fill
grestore
22 -43.8 M
(When the state is "authenticated", the following information: ) S
33 -54.4 M
gsave
0 setgray
newpath
33.0 -54.3700027 2.75 0 360 arc
closepath
stroke
grestore
44 -58 M
(The value of the session secret z ) S
33 -68.6 M
gsave
0 setgray
newpath
33.0 -68.5700073 2.75 0 360 arc
closepath
stroke
grestore
44 -72.2 M
(The largest nc received from the client \(largest-nc\) ) S
33 -82.8 M
gsave
0 setgray
newpath
33.0 -82.7700043 2.75 0 360 arc
closepath
stroke
grestore
44 -86.4 M
3.39531255 0 32 0 0 (For each possible nc values between \(largest-nc\240-\240nc-window\240+\2401\) and max_nc, a flag) A
44 -99.6 M
(whether or not a request with the corresponding nc has been received. ) S
0 -123.8 M
(The table MAY contain other information. ) S
0 -148 M
(Servers SHOULD respond to the client requests according to the following procedure: ) S
11 -168.6 M
gsave
0 setgray
newpath
11.0 -168.57 2.75 0 360 arc
closepath
fill
grestore
22 -172.2 M
(When the server receives a normal request: ) S
33 -182.8 M
gsave
0 setgray
newpath
33.0 -182.77 2.75 0 360 arc
closepath
stroke
grestore
44 -186.4 M
2.40655041 0 32 0 0 (If the requested resource is not protected by the Mutual Authentication, send a normal) A
44 -199.6 M
(response. ) S
33 -210.2 M
gsave
0 setgray
newpath
33.0 -210.17 2.75 0 360 arc
closepath
stroke
grestore
44 -213.8 M
(If the resource is protected by the Mutual Authentication, send a 401-INIT response. ) S
33 -224.4 M
gsave
0 setgray
newpath
33.0 -224.37 2.75 0 360 arc
closepath
stroke
grestore
44 -228 M
0.0872395858 0 32 0 0 (If the resource is protected by the optional Mutual Authentication, send a 200-Optional-INIT ) A
44 -241.2 M
(response.) S
11 -251.8 M
gsave
0 setgray
newpath
11.0 -251.769989 2.75 0 360 arc
closepath
fill
grestore
22 -255.4 M
(When the server receives a req-KEX-C1 request: ) S
33 -266 M
gsave
0 setgray
newpath
33.0 -265.969971 2.75 0 360 arc
closepath
stroke
grestore
44 -269.6 M
2.40655041 0 32 0 0 (If the requested resource is not protected by the Mutual Authentication, send a normal) A
44 -282.8 M
(response. ) S
33 -293.4 M
gsave
0 setgray
newpath
33.0 -293.37 2.75 0 360 arc
closepath
stroke
grestore
44 -297 M
0.0323660709 0 32 0 0 (If the authentication realm specified in the req-KEX-C1 request is not the expected one, send) A
44 -310.2 M
(either a 401-INIT or a 200-Optional-INIT response. ) S
33 -320.8 M
gsave
0 setgray
newpath
33.0 -320.77002 2.75 0 360 arc
closepath
stroke
grestore
44 -324.4 M
(If the server cannot validate the parameter kc1, send a 401-INIT response. ) S
33 -335 M
gsave
0 setgray
newpath
33.0 -334.970032 2.75 0 360 arc
closepath
stroke
grestore
44 -338.6 M
0.818638384 0 32 0 0 (If the received user name is either invalid, unknown or unacceptable, create a new session,) A
44 -351.8 M
11 0 Nf
1.6470052 0 32 0 0 (mark it a "fake" session, compute a random value as ) A
1.6470052 0 32 0 0 (K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
1.6470052 0 32 0 0 (s1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
1.6470052 0 32 0 0 (, and send a fake 401-KEX-S1) A
0.0 -2.2 RM
44 -367.2 M
0.152043268 0 32 0 0 (response. \(Note: the server SHOULD\240NOT send a 401-INIT response in this case, because it) A
44 -380.4 M
1.08854163 0 32 0 0 (will leak the information to the client that the specified user will not be accepted. Instead,) A
44 -393.6 M
(postpone it to the response for the next req-VFY-C request.\) ) S
33 -404.2 M
gsave
0 setgray
newpath
33.0 -404.170074 2.75 0 360 arc
closepath
stroke
grestore
44 -407.8 M
11 0 Nf
(Otherwise, create a new session, compute ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( and send a 401-KEX-S1 ) S
(response.) S
0.0 -2.2 RM
22 -423.2 M
(The created session has the "key exchanging" state. ) S
11 -433.8 M
gsave
0 setgray
newpath
11.0 -433.770111 2.75 0 360 arc
closepath
fill
grestore
22 -437.4 M
(When the server receives a req-VFY-C request: ) S
33 -448 M
gsave
0 setgray
newpath
33.0 -447.970123 2.75 0 360 arc
closepath
stroke
grestore
44 -451.6 M
2.40655041 0 32 0 0 (If the requested resource is not protected by the Mutual Authentication, send a normal) A
44 -464.8 M
(response. ) S
33 -475.4 M
gsave
0 setgray
newpath
33.0 -475.370148 2.75 0 360 arc
closepath
stroke
grestore
44 -479 M
0.468471 0 32 0 0 (If the authentication realm specified in the req-VFY-C request is not the expected one, send) A
44 -492.2 M
(either a 401-INIT or a 200-Optional-INIT ) S
(response.) S
22 -505.4 M
0.752197266 0 32 0 0 (If none of above holds true, the server will lookup the session corresponding to the received sid) A
22 -518.6 M
(and the authentication realm. ) S
33 -529.2 M
gsave
0 setgray
newpath
33.0 -529.170166 2.75 0 360 arc
closepath
stroke
grestore
44 -532.8 M
0.59260112 0 32 0 0 (If the session corresponding to the received sid could not be found, or it is in the "inactive") A
44 -546 M
(state, send a 401-STALE response. ) S
33 -556.6 M
gsave
0 setgray
newpath
33.0 -556.57019 2.75 0 360 arc
closepath
stroke
grestore
44 -560.2 M
(If the session is in the "rejected" state, send either a 401-INIT or a 401-STALE message. ) S
33 -570.8 M
gsave
0 setgray
newpath
33.0 -570.770203 2.75 0 360 arc
closepath
stroke
grestore
44 -574.4 M
2.48291016 0 32 0 0 (If the session is in the "authenticated" state, and the request has an nc value that was) A
44 -587.6 M
0.671549499 0 32 0 0 (previously received from the client, send a 401-STALE message. The session SHOULD be) A
44 -600.8 M
(changed to the "inactive" status. ) S
33 -611.4 M
gsave
0 setgray
newpath
33.0 -611.370239 2.75 0 360 arc
closepath
stroke
grestore
44 -615 M
0.138157889 0 32 0 0 (If the nc value in the request is larger than the nc-max parameter sent from the server, or if it) A
44 -628.2 M
0.262319714 0 32 0 0 (is not larger then \(largest-nc - nc-window\) \(when in "authenticated" status\), the server MAY) A
44 -641.4 M
0.4765625 0 32 0 0 (\(but not REQUIRED to\) send a 401-STALE message. The session SHOULD be changed to) A
44 -654.6 M
(the "inactive" status if so. ) S
33 -665.2 M
gsave
0 setgray
newpath
33.0 -665.170288 2.75 0 360 arc
closepath
stroke
grestore
44 -668.8 M
1.08065259 0 32 0 0 (If the session is a "fake" session, or if the received vkc is incorrect, then send a 401-INIT) A
44 -668.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 24 -) S
0 setgray
88 -8 M
grestore
pgsave restore N
%%Page: 25 25
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
44 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.83203125 0 32 0 0 (response. If the session is in the "key exchanging" state, it SHOULD be changed to the) A
44 -13.2 M
0.933749676 0.933749676 scale
0.0 -13.2 RM
11 0 Nf
("rejected" state; otherwise, it MAY either be changed to the "rejected" status or kept in the previous) S
1.07095087 1.07095087 scale
44 -38.7 M
(state. ) S
33 -49.3 M
gsave
0 setgray
newpath
33.0 -49.2954979 2.75 0 360 arc
closepath
stroke
grestore
44 -52.9 M
0.131138399 0 32 0 0 (Otherwise, send a 200-VFY-S response. If the session was in the "key exchanging" state, the) A
44 -52.9 M
0.93326813 0.93326813 scale
0.0 -13.2 RM
(session SHOULD be changed to an "authenticated" state. The maximum nc and nc flags of the state) S
1.0715034 1.0715034 scale
44 -78.4 M
(SHOULD be updated properly. ) S
0 -102.6 M
1.42135417 0 32 0 0 (At any time, the server MAY change any state entries with both the "rejected" and "authenticated") A
0 -115.8 M
1.48177087 0 32 0 0 (statuses to the "inactive" status, and MAY discard any "inactive" states from the table. The entries) A
0 -129 M
0.936035156 0 32 0 0 (with the "key exchanging" status SHOULD be kept unless there is an emergency situation such as a) A
0 -142.2 M
(server reboot or a table capacity overflow. ) S
0 -153.2 M
[/View [/XYZ -4 603.755371 null] /Dest /75 /DEST pdfmark
0 -153.2 M
[/View [/XYZ -4 603.755371 null] /Dest /76 /DEST pdfmark
0 -172.2 M
%%IncludeResource: font Times-Bold
15 2 Nf
(11.) S
[/View [/XYZ -4 602.755371 null] /Dest /200 /DEST pdfmark
( Authentication ) S
(Algorithms) S
0 -196.4 M
11 0 Nf
0.647786438 0 32 0 0 (Cryptographic authentication algorithms which are used with this protocol will be defined separately.) A
0 -209.6 M
(The algorithm definition MUST at least provide a definitions for the following ) S
(functions:) S
11 -230.2 M
gsave
0 setgray
newpath
11.0 -230.21463 2.75 0 360 arc
closepath
fill
grestore
22 -233.8 M
(The server-side authentication credential J, derived from user-side authentication credential pi. ) S
11 -244.4 M
gsave
0 setgray
newpath
11.0 -244.414627 2.75 0 360 arc
closepath
fill
grestore
22 -248 M
11 0 Nf
(Key exchange values ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( \(exchanged on wire\) and ) S
(S) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(S) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( \(kept secret in each peer\). ) S
0.0 -2.2 RM
11 -260.8 M
gsave
0 setgray
newpath
11.0 -260.814606 2.75 0 360 arc
closepath
fill
grestore
22 -264.4 M
(Shared secret z, to be computed in both server-side and client side. ) S
11 -275 M
gsave
0 setgray
newpath
11.0 -275.014618 2.75 0 360 arc
closepath
fill
grestore
22 -278.6 M
(A hash function H to be used with the ) S
(protocol.) S
0 -302.8 M
0.977539062 0 32 0 0 (All algorithm used with this protocol SHOULD provide secure mutual authentication between client) A
0 -316 M
1.234375 0 32 0 0 (and servers, and generate a cryptographically strong shared secret value z, equivalently strong to or) A
0 -329.2 M
1.65937495 0 32 0 0 (stronger than the hash function H. If any passwords \(or pass-phrases or any equivalents, i.e. weak) A
0 -342.4 M
1.37439907 0 32 0 0 (secrets\) are involved, these SHOULD\240NOT be guessable from any data transmitted in the protocol,) A
0 -355.6 M
7.18088961 0 32 0 0 (even if an attacker \(either an eavesdropper or an active server\) knows the possible) A
0 -368.8 M
2.95703125 0 32 0 0 (thoroughly-searchable candidate list of the passwords. Furthermore, if possible, the function for) A
0 -382 M
0.690805316 0 32 0 0 (deriving server-side authentication credential J is RECOMMENDED to be one-way so that pi should) A
0 -395.2 M
(not be easily computed from ) S
(J\(pi\).) S
0 -406.2 M
[/View [/XYZ -4 350.75528 null] /Dest /77 /DEST pdfmark
0 -406.2 M
[/View [/XYZ -4 350.75528 null] /Dest /78 /DEST pdfmark
0 -421.8 M
13 2 Nf
(11.1.) S
[/View [/XYZ -4 350.75528 null] /Dest /201 /DEST pdfmark
( Support Functions and ) S
(Notations) S
0 -446 M
11 0 Nf
1.49557292 0 32 0 0 (In this section we define several support functions and notations to be shared by several algorithm ) A
0 -459.2 M
(definitions:) S
0 -483.4 M
(The integers in the specification are in decimal, or in hexadecimal when prefixed with ) S
("0x".) S
0 -507.6 M
1.30009186 0 32 0 0 (The function octet\(c\) generates a single octet string whose code value is equal to c. The operator |,) A
0 -520.8 M
(when applied to octet strings, denotes the concatenation of two ) S
(operands.) S
0 -545 M
1.88616073 0 32 0 0 (The function VI encodes natural numbers into octet strings in the following manner: numbers are) A
0 -558.2 M
0.163783476 0 32 0 0 (represented in big-endian radix-128 string, where each digit is represented by a octet within 0x80\2350xff) A
0 -571.4 M
0.217285156 0 32 0 0 (except the last digit represented by a octet within 0x00\2350x7f. The first octet MUST\240NOT be 0x80. For) A
0 -584.6 M
0.31266275 0 32 0 0 (example, VI\(i\) = octet\(i\) for i < 128, and VI\(i\) = octet\(0x80 + \(i >> 7\)\) | octet\(i & 127\) for 128 <= i <) A
0 -597.8 M
1.04848349 0 32 0 0 (16384. This encoding is the same as the one used for the subcomponents of object identifiers in ) A
gsave
newpath
440.5 -598.9 M
13.4375 0 RL
stroke
grestore
1.04848349 0 32 0 0 (the) A
[/Rect [439.535156 -600.594849 454.972656 -588.494873] /Subtype /Link /Border [0 0 0] /Dest /118 /ANN pdfmark
0 -611 M
gsave
newpath
0 -612.1 M
33.7176323 0 RL
stroke
grestore
0.721540153 0 32 0 0 (ASN.1 ) A
gsave
newpath
33.7 -612.1 M
40.3203125 0 RL
stroke
grestore
0.721540153 0 32 0 0 (encoding) A
[/Rect [-1.0 -613.794861 75.0351562 -601.694885] /Subtype /Link /Border [0 0 0] /Dest /118 /ANN pdfmark
0.721540153 0 32 0 0 ( [ITU.X690.1994], and available as a "w" conversion in the pack function of several) A
0 -624.2 M
(scripting languages. ) S
0 -635.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 25 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 26 26
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.15820312 0 32 0 0 (The function VS encodes a variable-length octet string into a uniquely-decoded, self-delimited octet) A
0 -26.4 M
(string, as in the following manner: ) S
0 -50.6 M
(VS\(s\) = VI\(length\(s\)\) | s ) S
0 -74.8 M
(where length\(s\) is a number of octets \(not characters\) in s. ) S
0 -99 M
(Some ) S
(examples:) S
11 -123.2 M
(VI\(0\) = "\\000" \(in C string ) S
(notation\)) S
11 -147.4 M
(VI\(100\) = ) S
("d") S
11 -171.6 M
(VI\(10000\) = ) S
("\\316\\020") S
11 -195.8 M
(VI\(1000000\) = ) S
("\\275\\204@") S
11 -220 M
(VS\(""\) = ) S
("\\000") S
11 -244.2 M
(VS\("Tea"\) = ) S
("\\003Tea") S
11 -268.4 M
(VS\("Caf<e acute>" [in UTF-8]\) = ) S
("\\005Caf\\303\\251") S
11 -292.6 M
(VS\([10000 "a"s]\) = "\\316\\020aaaaa..." \(10002 ) S
(octets\)) S
0 -316.8 M
2.7606535 0 32 0 0 ([Editorial note: Unlike the colon-separated notion used in the Basic/Digest HTTP authentication) A
0 -330 M
0.752790153 0 32 0 0 (scheme, the string generated by a concatenation of the VS-encoded strings will be unique, regardless) A
0 -343.2 M
(of the characters included in the strings to be encoded.] ) S
0 -367.4 M
1.48697913 0 32 0 0 (The function OCTETS converts an integer into the corresponding radix-256 big-endian octet string) A
0 -380.6 M
(having its natural length: See ) S
gsave
newpath
131 -381.7 M
57.7382812 0 RL
stroke
grestore
(Section\2403.1.3) S
[/Rect [130.035156 -383.350067 189.773438 -371.250061] /Subtype /Link /Border [0 0 0] /Dest /45 /ANN pdfmark
( for the definition of "natural length". ) S
0 -391.6 M
[/View [/XYZ -4 365.399933 null] /Dest /79 /DEST pdfmark
0 -391.6 M
[/View [/XYZ -4 365.399933 null] /Dest /80 /DEST pdfmark
0 -407.2 M
%%IncludeResource: font Times-Bold
13 2 Nf
(11.2.) S
[/View [/XYZ -4 365.399933 null] /Dest /202 /DEST pdfmark
( Default Functions for ) S
(Algorithms) S
0 -431.4 M
11 0 Nf
(The functions defined in this section are common default functions among authentication algorithms. ) S
0 -455.6 M
2.85216355 0 32 0 0 (The client-side password-based string pi used by this authentication is derived in the following) A
0 -468.8 M
(manner: ) S
0 -493 M
(pi = H\(VS\(algorithm\) | VS\(auth-domain\) | VS\(realm\) | VS\(username\) | VS\(ph\(password\)\)\). ) S
0 -517.2 M
0.438281238 0 32 0 0 (The values of algorithm, realm, and auth-domain are taken from the values contained in the 401-INIT) A
0 -530.4 M
0.143798828 0 32 0 0 (\(or 200-Optional-INIT, hereafter implied\) message. When pi is used in the context of an octet string, it) A
0 -543.6 M
1.02604163 0 32 0 0 (SHALL have the natural length derived from the size of the output of function H \(e.g. 32 octets for) A
0 -556.8 M
0.142578125 0 32 0 0 (SHA-256\). The function ph is determined by the value of the pwd-hash parameter given in a 401-INIT) A
0 -570 M
1.65885413 0 32 0 0 (message. If the password comes from a user input, it SHOULD first be prepared using ) A
gsave
newpath
407.5 -571.1 M
46.4296875 0 RL
stroke
grestore
1.65885413 0 32 0 0 (SASLprep) A
[/Rect [406.53125 -572.750183 454.960938 -560.650208] /Subtype /Link /Border [0 0 0] /Dest /109 /ANN pdfmark
0 -583.2 M
([RFC4013]. Then, the password SHALL be encoded as a UTF-8 string before passed to ph. ) S
0 -607.4 M
11 0 Nf
(The values ) S
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( and ) S
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( are derived by the following equation. ) S
0.0 -2.2 RM
0 -633.8 M
11 0 Nf
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( = H\(octet\(4\) | ) S
(OCTETS\(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(\) | ) S
(OCTETS\(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(\) | OCTETS\(z\) | VI\(nc\) | VS\(v\)\) ) S
0.0 -2.2 RM
0 -649.2 M
11 0 Nf
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( = H\(octet\(3\) | ) S
(OCTETS\(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(\) | ) S
(OCTETS\(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(\) | OCTETS\(z\) | VI\(nc\) | VS\(v\)\) ) S
0.0 -2.2 RM
0 -651.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 26 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 27 27
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.495768219 0 32 0 0 (Specifications for cryptographic algorithms used with this framework MAY override the functions pi, ) A
0 -26.4 M
11 0 Nf
0.711718738 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.711718738 0 32 0 0 (c) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.711718738 0 32 0 0 (, and ) A
0.711718738 0 32 0 0 (VK) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
0.711718738 0 32 0 0 (s) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
0.711718738 0 32 0 0 ( defined above. In such cases implementations MUST use the ones defined with such) A
0.0 -2.2 RM
0 -41.8 M
(algorithm specifications. ) S
0 -52.8 M
[/View [/XYZ -4 704.2 null] /Dest /81 /DEST pdfmark
0 -52.8 M
[/View [/XYZ -4 704.2 null] /Dest /82 /DEST pdfmark
0 -71.8 M
%%IncludeResource: font Times-Bold
15 2 Nf
(12.) S
[/View [/XYZ -4 703.2 null] /Dest /203 /DEST pdfmark
( Application Channel ) S
(Binding) S
0 -96 M
11 0 Nf
3.67695308 0 32 0 0 (Applications and upper-layer communication protocols may need authentication binding to the) A
0 -109.2 M
0.434495181 0 32 0 0 (HTTP-layer authenticated user. Such applications MAY use the following values as a standard shared) A
0 -122.4 M
(secret. ) S
0 -146.6 M
1.21328127 0 32 0 0 (These values are parameterized with an optional octet string \(t\) which may be arbitrarily chosen by) A
0 -159.8 M
(each applications or protocols. If there is no appropriate value to be specified, use a null string for t. ) S
0 -184 M
1.23270094 0 32 0 0 (For applications requiring binding to either an authenticated user or a shared-key session \(to ensure) A
0 -197.2 M
11 0 Nf
(that the requesting client is certainly authenticated\), the following value ) S
(b) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( MAY be used. ) S
0.0 -2.2 RM
0 -223.6 M
11 0 Nf
3.07830262 0 32 0 0 (b) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
3.07830262 0 32 0 0 (1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
3.07830262 0 32 0 0 ( = OCTETS\(H\(OCTETS\(H\(octet\(6\) | ) A
3.07830262 0 32 0 0 (OCTETS\(K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
3.07830262 0 32 0 0 (c1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
3.07830262 0 32 0 0 (\) | ) A
3.07830262 0 32 0 0 (OCTETS\(K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
3.07830262 0 32 0 0 (s1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
3.07830262 0 32 0 0 (\) | OCTETS\(z\) | VI\(0\) |) A
0.0 -2.2 RM
0 -239 M
(VS\(v\)\)\) | VS\(t\)\)\). ) S
0 -263.2 M
0.0864257812 0 32 0 0 (For applications requiring binding to a specific request \(to ensure that the payload data is generated for) A
0 -276.4 M
11 0 Nf
(the exact HTTP request\), the following value ) S
(b) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(2) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( MAY be used. ) S
0.0 -2.2 RM
0 -302.8 M
11 0 Nf
2.63441062 0 32 0 0 (b) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.63441062 0 32 0 0 (2) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.63441062 0 32 0 0 ( = OCTETS\(H\(OCTETS\(H\(octet\(7\) | ) A
2.63441062 0 32 0 0 (OCTETS\(K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.63441062 0 32 0 0 (c1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.63441062 0 32 0 0 (\) | ) A
2.63441062 0 32 0 0 (OCTETS\(K) A
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
2.63441062 0 32 0 0 (s1) A
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
2.63441062 0 32 0 0 (\) | OCTETS\(z\) | VI\(nc\) |) A
0.0 -2.2 RM
0 -318.2 M
(VS\(v\)\)\) | VS\(t\)\)\). ) S
0 -342.4 M
(Note: Channel bindings to lower-layer transports \(TCP and TLS\) are defined in ) S
gsave
newpath
352.5 -343.5 M
41.2382812 0 RL
stroke
grestore
(Section\2407) S
[/Rect [351.460938 -345.15 394.699219 -333.05] /Subtype /Link /Border [0 0 0] /Dest /66 /ANN pdfmark
(. ) S
0 -353.4 M
[/View [/XYZ -4 403.6 null] /Dest /83 /DEST pdfmark
0 -353.4 M
[/View [/XYZ -4 403.6 null] /Dest /84 /DEST pdfmark
0 -372.4 M
15 2 Nf
(13.) S
[/View [/XYZ -4 402.6 null] /Dest /204 /DEST pdfmark
( Application for Proxy ) S
(Authentication) S
0 -396.6 M
11 0 Nf
4.30979586 0 32 0 0 (The authentication scheme defined by the previous sections can be applied m.m. for proxy) A
0 -409.8 M
(authentications. In such cases, the following alterations MUST be ) S
(applied:) S
11 -430.4 M
gsave
0 setgray
newpath
11.0 -430.370026 2.75 0 360 arc
closepath
fill
grestore
22 -434 M
(The 407 status is to be sent and recognized for places where the 401 status is used, ) S
11 -444.6 M
gsave
0 setgray
newpath
11.0 -444.570038 2.75 0 360 arc
closepath
fill
grestore
22 -448.2 M
(Proxy-Authenticate: header is to be used for places where WWW-Authenticate: is used, ) S
11 -458.8 M
gsave
0 setgray
newpath
11.0 -458.77005 2.75 0 360 arc
closepath
fill
grestore
22 -462.4 M
(Proxy-Authorization: header is to be used for places where Authorization: is used, ) S
11 -473 M
gsave
0 setgray
newpath
11.0 -472.970062 2.75 0 360 arc
closepath
fill
grestore
22 -476.6 M
(Proxy-Authentication-Info: header is to be used for places where Authentication-Info: is used, ) S
11 -487.2 M
gsave
0 setgray
newpath
11.0 -487.170074 2.75 0 360 arc
closepath
fill
grestore
22 -490.8 M
1.76041663 0 32 0 0 (The auth-domain parameter is fixed to the host-name of the proxy, which means to cover all) A
22 -504 M
(requests processed through the specific proxy, ) S
11 -514.6 M
gsave
0 setgray
newpath
11.0 -514.570068 2.75 0 360 arc
closepath
fill
grestore
22 -518.2 M
3.32301688 0 32 0 0 (The limitation for the paths contained in the path parameter of 401-KEX-S1 messages is) A
22 -531.4 M
(disregarded, ) S
11 -542 M
gsave
0 setgray
newpath
11.0 -541.970093 2.75 0 360 arc
closepath
fill
grestore
22 -545.6 M
2.30175781 0 32 0 0 (The omission of the path parameter of 401-KEX-S1 messages means that the authentication) A
22 -558.8 M
(realm will potentially cover all requests processed by the proxy, ) S
11 -569.4 M
gsave
0 setgray
newpath
11.0 -569.370117 2.75 0 360 arc
closepath
fill
grestore
22 -573 M
(The scheme, host name and the port of the proxy is used for validation tokens, and ) S
11 -583.6 M
gsave
0 setgray
newpath
11.0 -583.570129 2.75 0 360 arc
closepath
fill
grestore
22 -587.2 M
(Authentication extension in ) S
gsave
newpath
146.3 -588.3 M
135.890625 0 RL
stroke
grestore
([I-D.oiwa-http-auth-extension]) S
[/Rect [145.320312 -589.950134 283.210938 -577.850159] /Subtype /Link /Border [0 0 0] /Dest /106 /ANN pdfmark
( is not ) S
(applicable.) S
0 -611.4 M
1.53723955 0 32 0 0 (The requirements for client software to display the authentication status to the end-user is also not) A
0 -624.6 M
3.60123706 0 32 0 0 (applicable for proxy authentication. If the client software supports both end-to-end and proxy) A
0 -637.8 M
1.20870531 0 32 0 0 (authentication using this protocol, it SHOULD be careful that the authentication status of the proxy) A
0 -651 M
0.08203125 0 32 0 0 (communication will never be confused by users with authentication statuses of the end-to-end resource) A
0 -664.2 M
(authentications. ) S
0 -664.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 27 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 28 28
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /85 /DEST pdfmark
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /86 /DEST pdfmark
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(14.) S
[/View [/XYZ -4 757.0 null] /Dest /205 /DEST pdfmark
( Methods to Extend This ) S
(Protocol) S
0 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.2294271 0 32 0 0 (If a private extension to this protocol is implemented, it MUST use the extension-tokens defined in ) A
0 -55.4 M
gsave
newpath
0 -56.5 M
41.2382812 0 RL
stroke
grestore
7.59126425 0 32 0 0 (Section\2403) A
[/Rect [-1.0 -58.15 42.2382812 -46.0500031] /Subtype /Link /Border [0 0 0] /Dest /36 /ANN pdfmark
7.59126425 0 32 0 0 ( to avoid conflicts with this protocol and other extensions. \(standardized or) A
0 -68.6 M
(being-standardizing extensions MAY use either bare-tokens or extension-tokens.\) ) S
0 -92.8 M
1.421875 0 32 0 0 (Specifications defining authentication algorithms MAY use other representations for the parameters) A
0 -106 M
0.350446433 0 32 0 0 ("kc1", "ks1", "vkc", and "vks", replace those parameter names, and/or add parameters to the messages) A
0 -119.2 M
2.85507822 0 32 0 0 (containing those parameters in supplemental specifications, provided that syntactic and semantic) A
0 -132.4 M
0.987723231 0 32 0 0 (requirements in ) A
gsave
newpath
73.4 -133.5 M
41.2382812 0 RL
stroke
grestore
0.987723231 0 32 0 0 (Section\2403) A
[/Rect [72.4335938 -135.15 115.671875 -123.049995] /Subtype /Link /Border [0 0 0] /Dest /36 /ANN pdfmark
0.987723231 0 32 0 0 (, ) A
gsave
newpath
121.2 -133.5 M
138.335938 0 RL
stroke
grestore
0.987723231 0 32 0 0 ([I-D.ietf-httpbis-p1-messaging]) A
[/Rect [120.15625 -135.15 260.492188 -123.049995] /Subtype /Link /Border [0 0 0] /Dest /104 /ANN pdfmark
0.987723231 0 32 0 0 ( and ) A
gsave
newpath
282.8 -133.5 M
110.84375 0 RL
stroke
grestore
0.987723231 0 32 0 0 ([I-D.ietf-httpbis-p7-auth]) A
[/Rect [281.84375 -135.15 394.6875 -123.049995] /Subtype /Link /Border [0 0 0] /Dest /105 /ANN pdfmark
0.987723231 0 32 0 0 ( are satisfied.) A
0 -145.6 M
1.76646209 0 32 0 0 (Any parameters starting with "kc", "ks", "vkc" or "vks" and followed by decimal natural numbers) A
0 -158.8 M
1.09010422 0 32 0 0 (\(e.g.\240kc2, ks0, vkc1, vks3 etc.\) are reserved for this purpose. If those specifications use names other) A
0 -172 M
0.806490362 0 32 0 0 (than those mentioned above, it is RECOMMENDED to use extension-tokens to avoid any parameter) A
0 -185.2 M
(name conflict with the future extension of this protocol. ) S
0 -209.4 M
1.94759119 0 32 0 0 (Extension-tokens MAY be freely used for any non-standard, private, and/or experimental uses for) A
0 -222.6 M
(those parameters provided that the domain part in the token is appropriately used. ) S
0 -233.6 M
[/View [/XYZ -4 523.4 null] /Dest /87 /DEST pdfmark
0 -233.6 M
[/View [/XYZ -4 523.4 null] /Dest /88 /DEST pdfmark
0 -252.6 M
15 2 Nf
(15.) S
[/View [/XYZ -4 522.4 null] /Dest /206 /DEST pdfmark
( IANA ) S
(Considerations) S
0 -276.8 M
11 0 Nf
2.39960933 0 32 0 0 (When bare-tokens are used for the authentication-algorithm, pwd-hash, and validation parameters) A
0 -290 M
0.544433594 0 32 0 0 (MUST be allocated by IANA. To acquire registered tokens, a specification for the use of such tokens) A
0 -303.2 M
(MUST be available as an RFC, as outlined in ) S
gsave
newpath
202.2 -304.3 M
50.1054688 0 RL
stroke
grestore
([RFC5226]) S
[/Rect [201.21875 -305.95 253.324219 -293.85] /Subtype /Link /Border [0 0 0] /Dest /125 /ANN pdfmark
(. ) S
0 -327.4 M
(Note: More formal declarations will be added in the future drafts to meet the RFC 5226 requirements. ) S
0 -338.4 M
[/View [/XYZ -4 418.599976 null] /Dest /89 /DEST pdfmark
0 -338.4 M
[/View [/XYZ -4 418.599976 null] /Dest /90 /DEST pdfmark
0 -357.4 M
15 2 Nf
(16.) S
[/View [/XYZ -4 417.599976 null] /Dest /207 /DEST pdfmark
( Security ) S
(Considerations) S
0 -364.9 M
[/View [/XYZ -4 392.099976 null] /Dest /91 /DEST pdfmark
0 -364.9 M
[/View [/XYZ -4 392.099976 null] /Dest /92 /DEST pdfmark
0 -383.4 M
13 2 Nf
(16.1.) S
[/View [/XYZ -4 389.199982 null] /Dest /208 /DEST pdfmark
( Security ) S
(Properties) S
11 -404 M
gsave
0 setgray
newpath
11.0 -403.970032 2.75 0 360 arc
closepath
fill
grestore
22 -407.6 M
11 0 Nf
1.03027344 0 32 0 0 (The protocol is secure against passive eavesdropping and replay attacks. However, the protocol) A
22 -420.8 M
1.61490881 0 32 0 0 (relies on transport security including DNS integrity for data secrecy and integrity. HTTP/TLS) A
22 -434 M
(SHOULD be used where transport security is not assured and/or data secrecy is important. ) S
11 -444.6 M
gsave
0 setgray
newpath
11.0 -444.570068 2.75 0 360 arc
closepath
fill
grestore
22 -448.2 M
0.318509609 0 32 0 0 (When used with HTTP/TLS, if TLS server certificates are reliably verified, the protocol provides) A
22 -461.4 M
(true protection against active man-in-the-middle attacks. ) S
11 -472 M
gsave
0 setgray
newpath
11.0 -471.970093 2.75 0 360 arc
closepath
fill
grestore
22 -475.6 M
0.580729187 0 32 0 0 (Even if the server certificate is not used or is unreliable, the protocol provides protection against) A
22 -488.8 M
1.015625 0 32 0 0 (active man-in-the-middle attacks for each HTTP request/response pair. However, in such cases,) A
22 -502 M
0.421223968 0 32 0 0 (JavaScript or similar scripting facilities can be used to affect the Mutually-authenticated contents) A
22 -515.2 M
0.858538 0 32 0 0 (from other contents not protected by this authentication mechanism. This is the reason why this) A
22 -528.4 M
(protocol requires that valid TLS server certificates MUST be presented ) S
(\() S
gsave
newpath
341.4 -529.5 M
41.2382812 0 RL
stroke
grestore
(Section\2407) S
[/Rect [340.433594 -531.150146 383.671875 -519.050171] /Subtype /Link /Border [0 0 0] /Dest /66 /ANN pdfmark
(\). ) S
0 -539.4 M
[/View [/XYZ -4 217.599854 null] /Dest /93 /DEST pdfmark
0 -539.4 M
[/View [/XYZ -4 217.599854 null] /Dest /94 /DEST pdfmark
0 -555 M
13 2 Nf
(16.2.) S
[/View [/XYZ -4 217.599854 null] /Dest /209 /DEST pdfmark
( Denial-of-service Attacks to ) S
(Servers) S
0 -579.2 M
11 0 Nf
0.717529297 0 32 0 0 (The protocol requires a server-side table of active sessions, which may become a critical point of the) A
0 -592.4 M
3.09014416 0 32 0 0 (server resource consumptions. For proper operation, the protocol requires that at least one key) A
0 -605.6 M
0.789963961 0 32 0 0 (verification request is processed for each session identifier. After that, servers MAY discard sessions) A
0 -618.8 M
2.75721145 0 32 0 0 (internally at any time, without causing any operational problems to clients. Clients will silently) A
0 -632 M
(reestablishes a new session then. ) S
0 -632 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 28 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 29 29
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
1.60997593 0 32 0 0 (However, if a malicious client sends too many requests of key exchanges \(req-KEX-C1 messages\)) A
0 -26.4 M
1.55943084 0 32 0 0 (only, resource starvation might occur. In such critical situations, servers MAY discard any kind of) A
0 -39.6 M
0.661979139 0 32 0 0 (existing sessions regardless of these statuses. One way to mitigate such attacks are that servers MAY) A
0 -52.8 M
0.862304688 0 32 0 0 (have a number and a time limits for unverified pending key exchange requests \(in the "wa received") A
0 -66 M
(status\). ) S
0 -90.2 M
0.291927069 0 32 0 0 (This is a common weakness of authentication protocols with almost any kind of negotiations or states,) A
0 -103.4 M
3.79199219 0 32 0 0 (including Digest authentication method and most Cookie-based authentication implementations.) A
0 -116.6 M
1.49038458 0 32 0 0 (However, regarding the resource consumption, a situation of the mutual authentication method is a) A
0 -129.8 M
0.117745534 0 32 0 0 (slightly better than the Digest, because HTTP requests without any kind of authentication requests will) A
0 -143 M
1.74780273 0 32 0 0 (not generate any kind of sessions. Session identifiers are only generated after a client starts a key) A
0 -156.2 M
3.7232573 0 32 0 0 (negotiation. It means that simple clients such as web crawlers will not accidentally consume) A
0 -169.4 M
(server-side resources for session managements. ) S
0 -180.4 M
[/View [/XYZ -4 576.600037 null] /Dest /95 /DEST pdfmark
0 -180.4 M
[/View [/XYZ -4 576.600037 null] /Dest /96 /DEST pdfmark
0 -196 M
%%IncludeResource: font Times-Bold
13 2 Nf
(16.3.) S
[/View [/XYZ -4 576.600037 null] /Dest /210 /DEST pdfmark
( Implementation ) S
(Considerations) S
11 -216.6 M
gsave
0 setgray
newpath
11.0 -216.569992 2.75 0 360 arc
closepath
fill
grestore
22 -220.2 M
11 0 Nf
0.289772719 0 32 0 0 (To securely implement the protocol, the Authentication-Info headers in the 200-VFY-S messages) A
22 -233.4 M
1.20898438 0 32 0 0 (MUST always be validated by the client. If the validation fails, the client MUST\240NOT process) A
22 -246.6 M
0.270089298 0 32 0 0 (any content sent with the message, including other headers and the body part. Non-compliance to) A
22 -259.8 M
(this requirement will allow phishing attacks. ) S
11 -270.4 M
gsave
0 setgray
newpath
11.0 -270.37 2.75 0 360 arc
closepath
fill
grestore
22 -274 M
1.88151038 0 32 0 0 (The authentication status on the client-side SHOULD be visible to the users of the client. In) A
22 -287.2 M
2.87650251 0 32 0 0 (addition, the method for asking for the user's name and passwords SHOULD be carefully) A
22 -300.4 M
1.18638396 0 32 0 0 (designed so that \(1\) the user can easily distinguish the request from this authentication method) A
22 -313.6 M
2.34263396 0 32 0 0 (from any other authentication methods such as Basic and Digest methods, and \(2\) the Web) A
22 -326.8 M
(contents cannot imitate the user-interfaces for this protocol. ) S
22 -340 M
4.52587891 0 32 0 0 (An informational memo regarding user-interface considerations and recommendations for) A
22 -353.2 M
(implementing this protocol will be separately published. ) S
11 -363.8 M
gsave
0 setgray
newpath
11.0 -363.770081 2.75 0 360 arc
closepath
fill
grestore
22 -367.4 M
2.05703115 0 32 0 0 (For HTTP/TLS communications, when a web form is submitted from Mutually-authenticated) A
22 -380.6 M
1.92944336 0 32 0 0 (pages with the "tls-cert" validation method to a URI that is protected by the same realm \(so) A
22 -393.8 M
0.746875 0 32 0 0 (indicated by the path parameter\), if the server certificate has been changed since the pages were) A
22 -407 M
0.762319684 0 32 0 0 (received, the peer is RECOMMENDED to be revalidated using a req-KEX-C1 message with an) A
22 -420.2 M
1.40384614 0 32 0 0 ("Expect: 100-continue" header. The same applies when the page is received with the "tls-key") A
22 -433.4 M
(validation method, and when the TLS session has expired. ) S
11 -444 M
gsave
0 setgray
newpath
11.0 -443.970154 2.75 0 360 arc
closepath
fill
grestore
22 -447.6 M
1.16346157 0 32 0 0 (Server-side storages of user passwords are advised to contain the values encrypted by one-way) A
22 -460.8 M
(function J\(pi\), instead of the real passwords, those hashed by ph, or pi. ) S
0 -471.8 M
[/View [/XYZ -4 285.199829 null] /Dest /97 /DEST pdfmark
0 -471.8 M
[/View [/XYZ -4 285.199829 null] /Dest /98 /DEST pdfmark
0 -487.4 M
13 2 Nf
(16.4.) S
[/View [/XYZ -4 285.199829 null] /Dest /211 /DEST pdfmark
( Usage ) S
(Considerations) S
11 -508 M
gsave
0 setgray
newpath
11.0 -507.970184 2.75 0 360 arc
closepath
fill
grestore
22 -511.6 M
11 0 Nf
1.49583328 0 32 0 0 (The user-names inputted by a user may be sent automatically to any servers sharing the same) A
22 -524.8 M
2.68131518 0 32 0 0 (auth-domain. This means that when host-type auth-domain is used for authentication on an) A
22 -538 M
0.989118278 0 32 0 0 (HTTPS site, and when an HTTP server on the same host requests Mutual authentication within) A
22 -551.2 M
0.790364563 0 32 0 0 (the same realm, the client will send the user-name in a clear text. If user-names have to be kept) A
22 -564.4 M
3.37890625 0 32 0 0 (secret against eavesdropping, the server must use full-scheme-type auth-domain parameter.) A
22 -577.6 M
(Contrarily, passwords are not exposed to eavesdroppers even on HTTP requests. ) S
11 -588.2 M
gsave
0 setgray
newpath
11.0 -588.170227 2.75 0 360 arc
closepath
fill
grestore
22 -591.8 M
1.196733 0 32 0 0 (The "pwd-hash" parameter is only provided for backward compatibility of password databases.) A
22 -605 M
0.916666687 0 32 0 0 (The use of "none" function is the most secure choice and is RECOMMENDED. If values other) A
22 -618.2 M
0.534667969 0 32 0 0 (than "none" are used, you MUST ensure that the hash values of the passwords were not exposed) A
22 -631.4 M
0.855769217 0 32 0 0 (to the public. Note that hashed password databases for plain-text authentications are usually not) A
22 -644.6 M
(considered secret. ) S
11 -655.2 M
gsave
0 setgray
newpath
11.0 -655.170288 2.75 0 360 arc
closepath
fill
grestore
22 -658.8 M
1.68179083 0 32 0 0 (If the server provides several ways for storing server-side password secrets into the password) A
22 -658.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 29 -) S
0 setgray
44 -8 M
grestore
pgsave restore N
%%Page: 30 30
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
22 -13.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.76171875 0 32 0 0 (database, it is advised to store the values encrypted by using the one-way function J\(pi\), instead) A
22 -26.4 M
11 0 Nf
(of the real passwords, those hashed by ph, or pi. ) S
0 -37.4 M
[/View [/XYZ -4 719.6 null] /Dest /99 /DEST pdfmark
0 -37.4 M
[/View [/XYZ -4 719.6 null] /Dest /100 /DEST pdfmark
0 -56.4 M
%%IncludeResource: font Times-Bold
15 2 Nf
(17.) S
[/View [/XYZ -4 718.6 null] /Dest /212 /DEST pdfmark
( Notice on Intellectual ) S
(Properties) S
0 -80.6 M
11 0 Nf
0.270432681 0 32 0 0 (The National Institute of Advanced Industrial Science and Technology \(AIST\) and Yahoo! Japan, Inc.) A
0 -93.8 M
0.311197907 0 32 0 0 (has jointly submitted a patent application on the protocol proposed in this documentation to the Patent) A
0 -107 M
0.125868052 0 32 0 0 (Office of Japan. The patent is intended to be open to any implementors of this protocol and its variants) A
0 -120.2 M
0.2734375 0 32 0 0 (under non-exclusive royalty-free manner. For the details of the patent application and its status, please) A
0 -133.4 M
(contact the author of this document. ) S
0 -157.6 M
1.08359373 0 32 0 0 (The elliptic-curve based authentication algorithms might involve several existing third-party patents.) A
0 -170.8 M
0.114889704 0 32 0 0 (The authors of the document take no position regarding the validity or scope of such patents, and other) A
0 -184 M
(patents as well. ) S
0 -195 M
[/View [/XYZ -4 562.0 null] /Dest /101 /DEST pdfmark
0 -195 M
[/View [/XYZ -4 562.0 null] /Dest /102 /DEST pdfmark
0 -214 M
15 2 Nf
(18.) S
[/View [/XYZ -4 561.0 null] /Dest /213 /DEST pdfmark
( ) S
(References) S
0 -221.5 M
[/View [/XYZ -4 535.5 null] /Dest /103 /DEST pdfmark
0 -240 M
13 2 Nf
(18.1.) S
[/View [/XYZ -4 532.600037 null] /Dest /214 /DEST pdfmark
( Normative ) S
(References) S
8 -256.3 M
0.989558935 0.989558935 scale
-0.0 -11.0 RM
11 0 Nf
([I-D.ietf-httpbis-p1-messaging]) S
[/View [/XYZ -4 842 null] /Dest /104 /DEST pdfmark
1.01055121 1.01055121 scale
160.9 -267.3 M
(Fielding, R., Lafon, Y., and J. Reschke, ) S
(\233) S
gsave
newpath
342.6 -268.4 M
78.1992188 0 RL
stroke
grestore
(HTTP/1.1, part 1:) S
[/Rect [341.645477 -270.05 421.844696 -257.949982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p1-messaging-19.txt)] Cd /ANN pdfmark
160.9 -280.5 M
gsave
newpath
160.9 -281.6 M
149.066406 0 RL
stroke
grestore
(URIs, Connections, and Message ) S
gsave
newpath
310 -281.6 M
32.9882812 0 RL
stroke
grestore
(Parsing) S
[/Rect [159.891571 -283.25 343.946259 -271.15] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p1-messaging-19.txt)] Cd /ANN pdfmark
(,\234) S
160.9 -293.7 M
(draft-ietf-httpbis-p1-messaging-19 \(work in progress\),) S
160.9 -306.9 M
(March\2402012 ) S
(\() S
gsave
newpath
220.8 -308 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [219.754852 -309.650024 243.133759 -297.550018] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p1-messaging-19.txt)] Cd /ANN pdfmark
(\).) S
8 -328.6 M
([I-D.ietf-httpbis-p7-auth]) S
[/View [/XYZ -4 842 null] /Dest /105 /DEST pdfmark
160.9 -328.6 M
(Fielding, R., Lafon, Y., and J. Reschke, ) S
(\233) S
gsave
newpath
342.6 -329.8 M
80.9492188 0 RL
stroke
grestore
(HTTP/1.1, part 7: ) S
[/Rect [341.645477 -331.4 424.594696 -319.3] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p7-auth-19.txt)] Cd /ANN pdfmark
160.9 -341.9 M
gsave
newpath
160.9 -342.9 M
65.3632812 0 RL
stroke
grestore
(Authentication) S
[/Rect [159.891571 -344.6 227.254852 -332.5] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p7-auth-19.txt)] Cd /ANN pdfmark
(,\234 draft-ietf-httpbis-p7-auth-19 \(work in) S
160.9 -355.1 M
(progress\), March\2402012 ) S
(\() S
gsave
newpath
267.2 -356.2 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [266.172821 -357.800018 289.551727 -345.7] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-httpbis-p7-auth-19.txt)] Cd /ANN pdfmark
(\).) S
8 -376.8 M
([I-D.oiwa-http-auth-extension]) S
[/View [/XYZ -4 842 null] /Dest /106 /DEST pdfmark
160.9 -376.8 M
(Oiwa, Y., Watanabe, H., Takagi, H., Kihara, B., Hayashi, T.,) S
160.9 -390 M
(and Y. Ioku, ) S
(\233) S
gsave
newpath
223.5 -391.1 M
214.707031 0 RL
stroke
grestore
(HTTP Authentication Extensions for Interactive ) S
[/Rect [222.508759 -392.75 439.21579 -380.65] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-oiwa-httpbis-auth-extension-00.txt)] Cd /ANN pdfmark
160.9 -403.2 M
gsave
newpath
160.9 -404.3 M
31.1601562 0 RL
stroke
grestore
(Clients) S
[/Rect [159.891571 -405.95 193.051727 -393.85] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-oiwa-httpbis-auth-extension-00.txt)] Cd /ANN pdfmark
(,\234 draft-oiwa-httpbis-auth-extension-00 \(work in) S
160.9 -416.4 M
(progress\), ) S
(June\2402012.) S
8 -438.1 M
([RFC2119]) S
[/View [/XYZ -4 842 null] /Dest /107 /DEST pdfmark
160.9 -438.1 M
gsave
newpath
160.9 -439.2 M
40.921875 0 RL
stroke
grestore
(Bradner, ) S
gsave
newpath
201.8 -439.2 M
8.86328125 0 RL
stroke
grestore
(S.) S
(, ) S
(\233) S
gsave
newpath
221.1 -439.2 M
169.523438 0 RL
stroke
grestore
(Key words for use in RFCs to Indicate) S
[/Rect [220.05954 -440.9 391.582977 -428.8] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2119)] Cd /ANN pdfmark
160.9 -451.4 M
gsave
newpath
160.9 -452.4 M
59.5585938 0 RL
stroke
grestore
(Requirement ) S
gsave
newpath
220.5 -452.4 M
29.3164062 0 RL
stroke
grestore
(Levels) S
[/Rect [159.891571 -454.1 250.766571 -442.0] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2119)] Cd /ANN pdfmark
(,\234 BCP\24014, RFC\2402119, March\2401997 ) S
(\() S
gsave
newpath
411.1 -452.4 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [410.082977 -454.1 433.461884 -442.0] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2119.txt)] Cd /ANN pdfmark
(, ) S
160.9 -464.6 M
gsave
newpath
160.9 -465.7 M
31.15625 0 RL
stroke
grestore
(HTML) S
[/Rect [159.891571 -467.300018 193.047821 -455.2] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/html/rfc2119.html)] Cd /ANN pdfmark
(, ) S
gsave
newpath
197.5 -465.7 M
24.4375 0 RL
stroke
grestore
(XML) S
[/Rect [196.547821 -467.300018 222.985321 -455.2] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/xml/rfc2119.xml)] Cd /ANN pdfmark
(\).) S
8 -486.3 M
([RFC3629]) S
[/View [/XYZ -4 842 null] /Dest /108 /DEST pdfmark
160.9 -486.3 M
(Yergeau, F., ) S
(\233) S
gsave
newpath
222.9 -487.4 M
174.996094 0 RL
stroke
grestore
(UTF-8, a transformation format of ISO ) S
gsave
newpath
397.9 -487.4 M
27.5 0 RL
stroke
grestore
(10646) S
[/Rect [221.887665 -489.05 426.383759 -476.949982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc3629)] Cd /ANN pdfmark
(,\234) S
160.9 -499.5 M
(STD\24063, RFC\2403629, November\2402003 ) S
(\() S
gsave
newpath
329.5 -500.6 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [328.532196 -502.25 351.911102 -490.15] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc3629.txt)] Cd /ANN pdfmark
(\).) S
8 -521.2 M
([RFC4013]) S
[/View [/XYZ -4 842 null] /Dest /109 /DEST pdfmark
160.9 -521.2 M
(Zeilenga, K., ) S
(\233) S
gsave
newpath
225.9 -522.4 M
203.707031 0 RL
stroke
grestore
(SASLprep: Stringprep Profile for User Names) S
[/Rect [224.942352 -524.0 430.649384 -511.9] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc4013)] Cd /ANN pdfmark
160.9 -534.5 M
gsave
newpath
160.9 -535.5 M
18.6328125 0 RL
stroke
grestore
(and ) S
gsave
newpath
179.5 -535.5 M
46.4296875 0 RL
stroke
grestore
(Passwords) S
[/Rect [159.891571 -537.2 226.954071 -525.100037] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc4013)] Cd /ANN pdfmark
(,\234 RFC\2404013, February\2402005 ) S
(\() S
gsave
newpath
358.2 -535.5 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [357.231415 -537.2 380.610321 -525.100037] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc4013.txt)] Cd /ANN pdfmark
(\).) S
8 -556.2 M
([RFC4648]) S
[/View [/XYZ -4 842 null] /Dest /110 /DEST pdfmark
160.9 -556.2 M
(Josefsson, S., ) S
(\233) S
gsave
newpath
227.8 -557.3 M
172.882812 0 RL
stroke
grestore
(The Base16, Base32, and Base64 Data ) S
[/Rect [226.790009 -558.949951 401.672821 -546.85] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc4648)] Cd /ANN pdfmark
160.9 -569.4 M
gsave
newpath
160.9 -570.5 M
46.4335938 0 RL
stroke
grestore
(Encodings) S
[/Rect [159.891571 -572.149963 208.325165 -560.05] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc4648)] Cd /ANN pdfmark
(,\234 RFC\2404648, October\2402006 ) S
(\() S
gsave
newpath
335.3 -570.5 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [334.325165 -572.149963 357.704071 -560.05] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc4648.txt)] Cd /ANN pdfmark
(\).) S
8 -591.1 M
([RFC5234]) S
[/View [/XYZ -4 842 null] /Dest /111 /DEST pdfmark
160.9 -591.1 M
(Crocker, D. and P. Overell, ) S
(\233) S
gsave
newpath
288.9 -592.2 M
124.328125 0 RL
stroke
grestore
(Augmented BNF for Syntax) S
[/Rect [287.860321 -593.9 414.188446 -581.800049] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5234)] Cd /ANN pdfmark
160.9 -604.4 M
gsave
newpath
160.9 -605.5 M
68.1054688 0 RL
stroke
grestore
(Specifications: ) S
gsave
newpath
229 -605.5 M
29.3320312 0 RL
stroke
grestore
(ABNF) S
[/Rect [159.891571 -607.100037 259.329071 -595.000061] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5234)] Cd /ANN pdfmark
(,\234 STD\24068, RFC\2405234, January\2402008 ) S
160.9 -617.6 M
(\() S
gsave
newpath
164.6 -618.6 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [163.551727 -620.300049 186.930634 -608.200073] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5234.txt)] Cd /ANN pdfmark
(\).) S
8 -639.3 M
([RFC5246]) S
[/View [/XYZ -4 842 null] /Dest /112 /DEST pdfmark
160.9 -639.3 M
(Dierks, T. and E. Rescorla, ) S
(\233) S
gsave
newpath
287.6 -640.4 M
130.398438 0 RL
stroke
grestore
(The Transport Layer Security) S
[/Rect [286.637665 -642.05 419.036102 -629.95] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5246)] Cd /ANN pdfmark
160.9 -652.5 M
gsave
newpath
160.9 -653.6 M
107.203125 0 RL
stroke
grestore
(\(TLS\) Protocol Version ) S
gsave
newpath
268.1 -653.6 M
13.75 0 RL
stroke
grestore
(1.2) S
[/Rect [159.891571 -655.25 282.844696 -643.15] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5246)] Cd /ANN pdfmark
(,\234 RFC\2405246, August\2402008 ) S
(\() S
gsave
newpath
406.2 -653.6 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [405.196259 -655.25 428.575165 -643.15] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5246.txt)] Cd /ANN pdfmark
(\).) S
0 -661.2 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 30 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 31 31
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /113 /DEST pdfmark
0 -15.6 M
%%IncludeResource: font Times-Bold
13 2 Nf
(18.2.) S
[/View [/XYZ -4 757.0 null] /Dest /215 /DEST pdfmark
( Informative ) S
(References) S
8 -42.9 M
%%IncludeResource: font Times-Roman
11 0 Nf
([I-D.ietf-oauth-v2]) S
[/View [/XYZ -4 842 null] /Dest /114 /DEST pdfmark
165.7 -42.9 M
(Hammer-Lahav, E., Recordon, D., and D. Hardt, ) S
(\233) S
gsave
newpath
387.8 -44 M
49.7890625 0 RL
stroke
grestore
(The OAuth) S
[/Rect [386.768494 -45.65 438.557556 -33.5500031] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-26.txt)] Cd /ANN pdfmark
165.7 -56.1 M
gsave
newpath
165.7 -57.2 M
80.3359375 0 RL
stroke
grestore
(2.0 Authorization ) S
gsave
newpath
246.1 -57.2 M
50.6953125 0 RL
stroke
grestore
(Framework) S
[/Rect [164.729446 -58.8500023 297.760681 -46.75] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-26.txt)] Cd /ANN pdfmark
(,\234 draft-ietf-oauth-v2-26 \(work) S
165.7 -69.3 M
(in progress\), May\2402012 ) S
(\() S
gsave
newpath
274.8 -70.4 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [273.7724 -72.05 297.151306 -59.9500046] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-26.txt)] Cd /ANN pdfmark
(, ) S
gsave
newpath
301.7 -70.4 M
20.1679688 0 RL
stroke
grestore
(PDF) S
[/Rect [300.651306 -72.05 322.819275 -59.9500046] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-26.pdf)] Cd /ANN pdfmark
(\).) S
8 -91 M
([I-D.ietf-precis-framework]) S
[/View [/XYZ -4 842 null] /Dest /115 /DEST pdfmark
165.7 -91 M
(Saint-Andre, P. and M. Blanchet, ) S
(\233) S
gsave
newpath
320 -92.2 M
93.7773438 0 RL
stroke
grestore
(PRECIS Framework:) S
[/Rect [318.979431 -93.8 414.756775 -81.7000046] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-precis-framework-03.txt)] Cd /ANN pdfmark
165.7 -104.3 M
gsave
newpath
165.7 -105.3 M
260.222656 0 RL
stroke
grestore
(Preparation and Comparison of Internationalized Strings in) S
[/Rect [164.729446 -107.0 426.952087 -94.9] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-precis-framework-03.txt)] Cd /ANN pdfmark
165.7 -117.5 M
gsave
newpath
165.7 -118.5 M
54.6757812 0 RL
stroke
grestore
(Application ) S
gsave
newpath
220.4 -118.5 M
41.5429688 0 RL
stroke
grestore
(Protocols) S
[/Rect [164.729446 -120.2 262.948181 -108.1] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-precis-framework-03.txt)] Cd /ANN pdfmark
(,\234 draft-ietf-precis-framework-03 \(work) S
165.7 -130.7 M
(in progress\), May\2402012 ) S
(\() S
gsave
newpath
274.8 -131.8 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [273.7724 -133.4 297.151306 -121.299995] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-ietf-precis-framework-03.txt)] Cd /ANN pdfmark
(\).) S
8 -141.4 M
0.989574254 0.989574254 scale
-0.0 -11.0 RM
([I-D.oiwa-http-mutualauth-algo]) S
[/View [/XYZ -4 842 null] /Dest /116 /DEST pdfmark
1.0105356 1.0105356 scale
165.7 -152.4 M
(Oiwa, Y., Watanabe, H., Takagi, H., Kihara, B., Hayashi, T.,) S
165.7 -165.6 M
(and Y. Ioku, ) S
(\233) S
gsave
newpath
228.3 -166.7 M
188.765625 0 RL
stroke
grestore
(Mutual Authentication Protocol for HTTP:) S
[/Rect [227.346634 -168.349991 418.112244 -156.249985] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-oiwa-http-mutualauth-algo-02.txt)] Cd /ANN pdfmark
165.7 -178.8 M
gsave
newpath
165.7 -179.9 M
128.894531 0 RL
stroke
grestore
(KAM3-based Cryptographic ) S
gsave
newpath
294.6 -179.9 M
50.0976562 0 RL
stroke
grestore
(Algorithms) S
[/Rect [164.729446 -181.549988 345.721619 -169.449982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.ietf.org/internet-drafts/draft-oiwa-http-mutualauth-algo-02.txt)] Cd /ANN pdfmark
(,\234) S
165.7 -192 M
(draft-oiwa-http-mutualauth-algo-02 \(work in progress\), ) S
165.7 -205.2 M
(May\2402012.) S
8 -226.9 M
([ISO.10646-1.1993]) S
[/View [/XYZ -4 842 null] /Dest /117 /DEST pdfmark
165.7 -226.9 M
(International Organization for Standardization, \233Information) S
165.7 -240.2 M
(Technology - Universal Multiple-octet coded Character Set) S
165.7 -253.4 M
(\(UCS\) - Part 1: Architecture and Basic Multilingual Plane,\234) S
165.7 -266.5 M
(ISO\240Standard 10646-1, ) S
(May\2401993.) S
8 -288.3 M
([ITU.X690.1994]) S
[/View [/XYZ -4 842 null] /Dest /118 /DEST pdfmark
165.7 -288.3 M
(International Telecommunications Union, \233Information) S
165.7 -301.5 M
(Technology - ASN.1 encoding rules: Specification of Basic) S
165.7 -314.7 M
(Encoding Rules \(BER\), Canonical Encoding Rules \(CER\) and) S
165.7 -327.9 M
(Distinguished Encoding Rules \(DER\),\234) S
165.7 -341.1 M
(ITU-T\240Recommendation X.690, ) S
(1994.) S
8 -362.9 M
([OASIS.saml-core-2.0-os]) S
[/View [/XYZ -4 842 null] /Dest /119 /DEST pdfmark
165.7 -362.9 M
gsave
newpath
165.7 -363.9 M
35.4335938 0 RL
stroke
grestore
(Cantor, ) S
gsave
newpath
201.2 -363.9 M
8.86328125 0 RL
stroke
grestore
(S.) S
(, ) S
gsave
newpath
215.5 -363.9 M
32.3789062 0 RL
stroke
grestore
(Kemp, ) S
gsave
newpath
247.9 -363.9 M
7.02734375 0 RL
stroke
grestore
(J.) S
(, ) S
gsave
newpath
260.4 -363.9 M
40.3320312 0 RL
stroke
grestore
(Philpott, ) S
gsave
newpath
300.8 -363.9 M
10.0859375 0 RL
stroke
grestore
(R.) S
(, and ) S
gsave
newpath
335 -363.9 M
12.21875 0 RL
stroke
grestore
(E. ) S
gsave
newpath
347.2 -363.9 M
26.2578125 0 RL
stroke
grestore
(Maler) S
(, ) S
(\233) S
gsave
newpath
383.8 -363.9 M
46.4257812 0 RL
stroke
grestore
(Assertions) S
[/Rect [382.842712 -365.6 431.268494 -353.5] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)] Cd /ANN pdfmark
165.7 -376.1 M
gsave
newpath
165.7 -377.2 M
244.042969 0 RL
stroke
grestore
(and Protocol for the OASIS Security Assertion Markup) S
[/Rect [164.729446 -378.800018 410.7724 -366.7] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)] Cd /ANN pdfmark
165.7 -389.3 M
gsave
newpath
165.7 -390.4 M
86.7382812 0 RL
stroke
grestore
(Language \(SAML\) ) S
gsave
newpath
252.5 -390.4 M
21.6914062 0 RL
stroke
grestore
(V2.0) S
[/Rect [164.729446 -392.000031 275.159119 -379.900024] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf)] Cd /ANN pdfmark
(,\234 OASIS Standard\240saml-core-2.0-os, ) S
165.7 -402.5 M
(March\2402005.) S
8 -424.2 M
([OIDF.Connect.Standard]) S
[/View [/XYZ -4 842 null] /Dest /120 /DEST pdfmark
165.7 -424.2 M
(Sakimura, N., Bradley, J., Jones, M., de Medeiros, B.,) S
165.7 -437.4 M
(Mortimore, C., and E. Jay, ) S
(\233) S
gsave
newpath
290.4 -438.5 M
139.585938 0 RL
stroke
grestore
(OpenID Connect Standard 1.0 -) S
[/Rect [289.354431 -440.150024 430.940369 -428.050018] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://openid.net/specs/openid-connect-standard-1_0.html)] Cd /ANN pdfmark
165.7 -450.6 M
gsave
newpath
165.7 -451.7 M
23.5078125 0 RL
stroke
grestore
(draft ) S
gsave
newpath
189.2 -451.7 M
11.0 0 RL
stroke
grestore
(10) S
[/Rect [164.729446 -453.350037 201.237259 -441.250031] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://openid.net/specs/openid-connect-standard-1_0.html)] Cd /ANN pdfmark
(,\234 ) S
(May\2402012.) S
8 -472.4 M
([RFC2617]) S
[/View [/XYZ -4 842 null] /Dest /121 /DEST pdfmark
165.7 -472.4 M
gsave
newpath
165.7 -473.4 M
35.4335938 0 RL
stroke
grestore
(Franks, ) S
gsave
newpath
201.2 -473.4 M
7.02734375 0 RL
stroke
grestore
(J.) S
(, ) S
gsave
newpath
213.7 -473.4 M
67.7929688 0 RL
stroke
grestore
(Hallam-Baker, ) S
gsave
newpath
281.5 -473.4 M
8.86328125 0 RL
stroke
grestore
(P.) S
(, ) S
gsave
newpath
295.8 -473.4 M
45.8085938 0 RL
stroke
grestore
(Hostetler, ) S
gsave
newpath
341.7 -473.4 M
7.02734375 0 RL
stroke
grestore
(J.) S
(, ) S
gsave
newpath
354.2 -473.4 M
48.8515625 0 RL
stroke
grestore
(Lawrence, ) S
gsave
newpath
403 -473.4 M
8.86328125 0 RL
stroke
grestore
(S.) S
(, ) S
165.7 -485.6 M
gsave
newpath
165.7 -486.7 M
32.3671875 0 RL
stroke
grestore
(Leach, ) S
gsave
newpath
198.1 -486.7 M
8.86328125 0 RL
stroke
grestore
(P.) S
(, Luotonen, A., and ) S
gsave
newpath
294.9 -486.7 M
12.21875 0 RL
stroke
grestore
(L. ) S
gsave
newpath
307.2 -486.7 M
33.5898438 0 RL
stroke
grestore
(Stewart) S
(, ) S
(\233) S
gsave
newpath
351.1 -486.7 M
27.4921875 0 RL
stroke
grestore
(HTTP) S
[/Rect [350.131775 -488.300018 379.623962 -476.2] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2617)] Cd /ANN pdfmark
165.7 -498.8 M
gsave
newpath
165.7 -499.9 M
182.339844 0 RL
stroke
grestore
(Authentication: Basic and Digest Access ) S
gsave
newpath
348.1 -499.9 M
65.3632812 0 RL
stroke
grestore
(Authentication) S
[/Rect [164.729446 -501.500031 414.432556 -489.400024] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2617)] Cd /ANN pdfmark
(,\234) S
165.7 -512 M
(RFC\2402617, June\2401999 ) S
(\() S
gsave
newpath
268.1 -513.1 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [267.0849 -514.700073 290.463806 -502.600037] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2617.txt)] Cd /ANN pdfmark
(, ) S
gsave
newpath
295 -513.1 M
31.15625 0 RL
stroke
grestore
(HTML) S
[/Rect [293.963806 -514.700073 327.120056 -502.600037] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/html/rfc2617.html)] Cd /ANN pdfmark
(, ) S
gsave
newpath
331.6 -513.1 M
24.4375 0 RL
stroke
grestore
(XML) S
[/Rect [330.620056 -514.700073 357.057556 -502.600037] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://xml.resource.org/public/rfc/xml/rfc2617.xml)] Cd /ANN pdfmark
(\).) S
8 -533.7 M
([RFC2743]) S
[/View [/XYZ -4 842 null] /Dest /122 /DEST pdfmark
165.7 -533.7 M
gsave
newpath
165.7 -534.8 M
26.2734375 0 RL
stroke
grestore
(Linn, ) S
gsave
newpath
192 -534.8 M
7.02734375 0 RL
stroke
grestore
(J.) S
(, ) S
(\233) S
gsave
newpath
209.4 -534.8 M
205.226562 0 RL
stroke
grestore
(Generic Security Service Application Program) S
[/Rect [208.41304 -536.45 415.639587 -524.350037] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2743)] Cd /ANN pdfmark
165.7 -546.9 M
gsave
newpath
165.7 -548 M
124.894531 0 RL
stroke
grestore
(Interface Version 2, Update ) S
gsave
newpath
290.6 -548 M
5.5 0 RL
stroke
grestore
(1) S
[/Rect [164.729446 -549.65 297.123962 -537.550049] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2743)] Cd /ANN pdfmark
(,\234 RFC\2402743, January\2402000 ) S
165.7 -560.1 M
(\() S
gsave
newpath
169.4 -561.2 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [168.389603 -562.850037 191.768509 -550.750061] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2743.txt)] Cd /ANN pdfmark
(\).) S
8 -581.9 M
([RFC2818]) S
[/View [/XYZ -4 842 null] /Dest /123 /DEST pdfmark
165.7 -581.9 M
(Rescorla, E., ) S
(\233) S
gsave
newpath
229.6 -583 M
54.9765625 0 RL
stroke
grestore
(HTTP Over ) S
gsave
newpath
284.5 -583 M
19.5507812 0 RL
stroke
grestore
(TLS) S
[/Rect [228.557571 -584.600037 305.0849 -572.500061] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc2818)] Cd /ANN pdfmark
(,\234 RFC\2402818, May\2402000 ) S
165.7 -595.1 M
(\() S
gsave
newpath
169.4 -596.1 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [168.389603 -597.800049 191.768509 -585.700073] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc2818.txt)] Cd /ANN pdfmark
(\).) S
8 -616.8 M
([RFC3961]) S
[/View [/XYZ -4 842 null] /Dest /124 /DEST pdfmark
165.7 -616.8 M
(Raeburn, K., ) S
(\233) S
gsave
newpath
229.6 -617.9 M
197.308594 0 RL
stroke
grestore
(Encryption and Checksum Specifications for) S
[/Rect [228.565384 -619.550049 427.873962 -607.450073] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc3961)] Cd /ANN pdfmark
165.7 -630 M
gsave
newpath
165.7 -631.1 M
43.0546875 0 RL
stroke
grestore
(Kerberos ) S
gsave
newpath
208.8 -631.1 M
5.5 0 RL
stroke
grestore
(5) S
[/Rect [164.729446 -632.750061 215.284134 -620.650085] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc3961)] Cd /ANN pdfmark
(,\234 RFC\2403961, February\2402005 ) S
(\() S
gsave
newpath
346.6 -631.1 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [345.561462 -632.750061 368.940369 -620.650085] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc3961.txt)] Cd /ANN pdfmark
(\).) S
165.7 -630 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 31 -) S
0 setgray
331.5 -8 M
grestore
pgsave restore N
%%Page: 32 32
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
8 -13 M
%%IncludeResource: font Times-Roman
11 0 Nf
([RFC5226]) S
[/View [/XYZ -4 842 null] /Dest /125 /DEST pdfmark
165.7 -13 M
(Narten, T. and H. Alvestrand, ) S
(\233) S
gsave
newpath
304.1 -14.1 M
113.308594 0 RL
stroke
grestore
(Guidelines for Writing an) S
[/Rect [303.081 -15.75 418.389587 -3.64999962] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5226)] Cd /ANN pdfmark
165.7 -26.2 M
gsave
newpath
165.7 -27.3 M
146.007812 0 RL
stroke
grestore
(IANA Considerations Section in ) S
gsave
newpath
311.7 -27.3 M
25.0625 0 RL
stroke
grestore
(RFCs) S
[/Rect [164.729446 -28.95 337.799744 -16.85] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5226)] Cd /ANN pdfmark
(,\234 BCP\24026, RFC\2405226,) S
165.7 -39.4 M
(May\2402008 ) S
(\() S
gsave
newpath
217 -40.5 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [216.049759 -42.15 239.428665 -30.0500011] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5226.txt)] Cd /ANN pdfmark
(\).) S
8 -61.1 M
([RFC5280]) S
[/View [/XYZ -4 842 null] /Dest /126 /DEST pdfmark
165.7 -61.1 M
(Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R.,) S
165.7 -74.4 M
(and W. Polk, ) S
(\233) S
gsave
newpath
230.8 -75.5 M
178.652344 0 RL
stroke
grestore
(Internet X.509 Public Key Infrastructure) S
[/Rect [229.795853 -77.1000061 410.448181 -65.0000076] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5280)] Cd /ANN pdfmark
165.7 -87.6 M
gsave
newpath
165.7 -88.7 M
221.105469 0 RL
stroke
grestore
(Certificate and Certificate Revocation List \(CRL\) ) S
gsave
newpath
386.8 -88.7 M
29.9257812 0 RL
stroke
grestore
(Profile) S
[/Rect [164.729446 -90.3 417.760681 -78.2000046] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5280)] Cd /ANN pdfmark
(,\234) S
165.7 -100.8 M
(RFC\2405280, May\2402008 ) S
(\() S
gsave
newpath
268.1 -101.8 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [267.0849 -103.5 290.463806 -91.4] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5280.txt)] Cd /ANN pdfmark
(\).) S
8 -122.5 M
([RFC5890]) S
[/View [/XYZ -4 842 null] /Dest /127 /DEST pdfmark
165.7 -122.5 M
(Klensin, J., ) S
(\233) S
gsave
newpath
222.9 -123.6 M
161.550781 0 RL
stroke
grestore
(Internationalized Domain Names for) S
[/Rect [221.85054 -125.25 385.401306 -113.15] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5890)] Cd /ANN pdfmark
165.7 -135.7 M
gsave
newpath
165.7 -136.8 M
218.992188 0 RL
stroke
grestore
(Applications \(IDNA\): Definitions and Document ) S
[/Rect [164.729446 -138.45 385.721619 -126.35] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5890.txt)] Cd /ANN pdfmark
165.7 -148.9 M
gsave
newpath
165.7 -150 M
50.6953125 0 RL
stroke
grestore
(Framework) S
[/Rect [164.729446 -151.65 217.424759 -139.549988] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5890)] Cd /ANN pdfmark
(,\234 RFC\2405890, August\2402010 ) S
(\() S
gsave
newpath
340.8 -150 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [339.776306 -151.65 363.155212 -139.549988] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5890.txt)] Cd /ANN pdfmark
(\).) S
8 -170.7 M
([RFC5929]) S
[/View [/XYZ -4 842 null] /Dest /128 /DEST pdfmark
165.7 -170.7 M
(Altman, J., Williams, N., and L. Zhu, ) S
(\233) S
gsave
newpath
337.7 -171.8 M
97.4492188 0 RL
stroke
grestore
(Channel Bindings for ) S
[/Rect [336.706 -173.4 436.155212 -161.299988] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5929)] Cd /ANN pdfmark
165.7 -183.9 M
gsave
newpath
165.7 -184.9 M
19.5507812 0 RL
stroke
grestore
(TLS) S
[/Rect [164.729446 -186.599991 186.280228 -174.499985] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc5929)] Cd /ANN pdfmark
(,\234 RFC\2405929, July\2402010 ) S
(\() S
gsave
newpath
296.2 -184.9 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [295.190369 -186.599991 318.569275 -174.499985] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc5929.txt)] Cd /ANN pdfmark
(\).) S
8 -205.6 M
([RFC6265]) S
[/View [/XYZ -4 842 null] /Dest /129 /DEST pdfmark
165.7 -205.6 M
(Barth, A., ) S
(\233) S
gsave
newpath
216.7 -206.7 M
115.148438 0 RL
stroke
grestore
(HTTP State Management ) S
gsave
newpath
331.9 -206.7 M
51.3125 0 RL
stroke
grestore
(Mechanism) S
[/Rect [215.737259 -208.349991 384.198181 -196.249985] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://tools.ietf.org/html/rfc6265)] Cd /ANN pdfmark
(,\234) S
165.7 -218.8 M
(RFC\2406265, April\2402011 ) S
(\() S
gsave
newpath
271.1 -219.9 M
21.3789062 0 RL
stroke
grestore
(TXT) S
[/Rect [270.135681 -221.549988 293.514587 -209.449982] /Subtype /Link /Border [0 0 0] /Action [/Subtype /URI /URI (http://www.rfc-editor.org/rfc/rfc6265.txt)] Cd /ANN pdfmark
(\).) S
0 -238.5 M
[/View [/XYZ -4 518.45 null] /Dest /130 /DEST pdfmark
0 -238.5 M
[/View [/XYZ -4 518.45 null] /Dest /131 /DEST pdfmark
0 -257.5 M
%%IncludeResource: font Times-Bold
15 2 Nf
(Appendix) S
[/View [/XYZ -4 517.45 null] /Dest /216 /DEST pdfmark
( A. \(Informative\) Draft Remarks from ) S
(Authors) S
0 -281.8 M
11 0 Nf
(The following items are currently under consideration for future revisions by the authors. ) S
11 -302.3 M
gsave
0 setgray
newpath
11.0 -302.32 2.75 0 360 arc
closepath
fill
grestore
22 -305.9 M
(Whether to keep TLS-key validation or not. ) S
11 -316.5 M
gsave
0 setgray
newpath
11.0 -316.52002 2.75 0 360 arc
closepath
fill
grestore
22 -320.2 M
0.371419281 0 32 0 0 (When keeping tls-key validation, whether to use ) A
gsave
newpath
240.2 -321.3 M
64.4811172 0 RL
stroke
grestore
0.371419281 0 32 0 0 ("TLS channel ) A
gsave
newpath
304.7 -321.3 M
38.09375 0 RL
stroke
grestore
0.371419281 0 32 0 0 (binding") A
[/Rect [239.234375 -322.900024 343.808594 -310.800018] /Subtype /Link /Border [0 0 0] /Dest /128 /ANN pdfmark
0.371419281 0 32 0 0 ( [RFC5929] for "tls-key") A
22 -333.4 M
4.10390615 0 32 0 0 (verification ) A
4.10390615 0 32 0 0 (\() A
gsave
newpath
83.2 -334.5 M
41.2382812 0 RL
stroke
grestore
4.10390615 0 32 0 0 (Section\2407) A
[/Rect [82.1992188 -336.100037 125.4375 -324.000031] /Subtype /Link /Border [0 0 0] /Dest /66 /ANN pdfmark
4.10390615 0 32 0 0 (\). Note that existing TLS implementations should be considered to) A
22 -346.6 M
(determine this. ) S
11 -357.1 M
gsave
0 setgray
newpath
11.0 -357.120056 2.75 0 360 arc
closepath
fill
grestore
22 -360.8 M
4.03466797 0 32 0 0 (Adopt ) A
gsave
newpath
56.3 -361.9 M
121.804688 0 RL
stroke
grestore
4.03466797 0 32 0 0 ([I-D.ietf-precis-framework]) A
[/Rect [55.2773438 -363.500061 179.082031 -351.400055] /Subtype /Link /Border [0 0 0] /Dest /115 /ANN pdfmark
4.03466797 0 32 0 0 ( for replacing SASLprep reference. Especially, use NFC) A
22 -374 M
(canonicalization instead of NFKC. ) S
11 -384.5 M
gsave
0 setgray
newpath
11.0 -384.520081 2.75 0 360 arc
closepath
fill
grestore
22 -388.2 M
(Adding test vectors for ensuring implementation correctness. ) S
11 -398.7 M
gsave
0 setgray
newpath
11.0 -398.720093 2.75 0 360 arc
closepath
fill
grestore
22 -402.4 M
0.00931490399 0 32 0 0 (Possibly adding a method for servers to detect availability of Mutual authentication on client-side. ) A
11 -412.9 M
gsave
0 setgray
newpath
11.0 -412.920105 2.75 0 360 arc
closepath
fill
grestore
22 -416.6 M
(Possible support for optional key renewal and cross-site federated ) S
(authentication.) S
0 -427.6 M
[/View [/XYZ -4 329.44989 null] /Dest /132 /DEST pdfmark
0 -427.6 M
[/View [/XYZ -4 329.44989 null] /Dest /133 /DEST pdfmark
0 -446.6 M
15 2 Nf
(Appendix) S
[/View [/XYZ -4 328.44989 null] /Dest /217 /DEST pdfmark
( B. \(Informative\) Draft Change ) S
(Log) S
0 -454.1 M
[/View [/XYZ -4 302.94989 null] /Dest /134 /DEST pdfmark
0 -454.1 M
[/View [/XYZ -4 302.94989 null] /Dest /135 /DEST pdfmark
0 -476.6 M
15 2 Nf
(B.1.) S
[/View [/XYZ -4 298.44989 null] /Dest /218 /DEST pdfmark
( Changes in HttpBis Revision ) S
(00) S
0 -500.8 M
11 0 Nf
2.07003355 0 32 0 0 (Note: the token for the header parameter "version" is NOT changed from "-draft11", because the) A
0 -514 M
(protocol semantics has not been changed in this revision. ) S
0 -538.2 M
(None.) S
0 -549.2 M
[/View [/XYZ -4 207.849854 null] /Dest /136 /DEST pdfmark
0 -549.2 M
[/View [/XYZ -4 207.849854 null] /Dest /137 /DEST pdfmark
0 -568.2 M
15 2 Nf
(B.2.) S
[/View [/XYZ -4 206.849854 null] /Dest /219 /DEST pdfmark
( Changes in Revision ) S
(12) S
11 -588.7 M
gsave
0 setgray
newpath
11.0 -588.720154 2.75 0 360 arc
closepath
fill
grestore
22 -592.4 M
11 0 Nf
(Added a reason ) S
("authz-failed".) S
0 -603.4 M
[/View [/XYZ -4 153.649841 null] /Dest /138 /DEST pdfmark
0 -603.4 M
[/View [/XYZ -4 153.649841 null] /Dest /139 /DEST pdfmark
0 -604.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 32 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 33 33
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(B.3.) S
[/View [/XYZ -4 757.0 null] /Dest /220 /DEST pdfmark
( Changes in Revision ) S
(11) S
11 -38.6 M
gsave
0 setgray
newpath
11.0 -38.57 2.75 0 360 arc
closepath
fill
grestore
22 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.15182291 0 32 0 0 (Message syntax definition reverted to pre-07 style as httpbis-p1 and p7 now defines a precise rule) A
22 -55.4 M
(for parameter value parsing. ) S
11 -66 M
gsave
0 setgray
newpath
11.0 -65.97 2.75 0 360 arc
closepath
fill
grestore
22 -69.6 M
0.790234387 0 32 0 0 (Replaced "stale" parameter with more infomative/extensive "reason" parameter in 401-INIT and) A
22 -82.8 M
(401-STALE. ) S
11 -93.4 M
gsave
0 setgray
newpath
11.0 -93.37 2.75 0 360 arc
closepath
fill
grestore
22 -97 M
(Reserved "rekey-sid" and "rekey-method" parameters for future extensions. ) S
11 -107.6 M
gsave
0 setgray
newpath
11.0 -107.57 2.75 0 360 arc
closepath
fill
grestore
22 -111.2 M
(Added descriptions for replacing/non-replacing existing ) S
(technologies.) S
0 -122.2 M
[/View [/XYZ -4 634.8 null] /Dest /140 /DEST pdfmark
0 -122.2 M
[/View [/XYZ -4 634.8 null] /Dest /141 /DEST pdfmark
0 -141.2 M
15 2 Nf
(B.4.) S
[/View [/XYZ -4 633.8 null] /Dest /221 /DEST pdfmark
( Changes in Revision ) S
(10) S
11 -161.8 M
gsave
0 setgray
newpath
11.0 -161.77 2.75 0 360 arc
closepath
fill
grestore
22 -165.4 M
11 0 Nf
0.0503472239 0 32 0 0 (The authentication extension parts \(non-mandatory authentication and authentication controls\) are) A
22 -178.6 M
(separated to yet another draft. ) S
11 -189.2 M
gsave
0 setgray
newpath
11.0 -189.17 2.75 0 360 arc
closepath
fill
grestore
22 -192.8 M
2.37890625 0 32 0 0 (The default auth-domain parameter is changed to the full scheme-host-port syntax, which is) A
22 -206 M
(consistent with usual HTTP authentication framework behavior. ) S
11 -216.6 M
gsave
0 setgray
newpath
11.0 -216.569992 2.75 0 360 arc
closepath
fill
grestore
22 -220.2 M
(Provision for application channel binding is added. ) S
11 -230.8 M
gsave
0 setgray
newpath
11.0 -230.769989 2.75 0 360 arc
closepath
fill
grestore
22 -234.4 M
(Provision for proxy access authentication is added. ) S
11 -245 M
gsave
0 setgray
newpath
11.0 -244.969986 2.75 0 360 arc
closepath
fill
grestore
22 -248.6 M
2.36467624 0 32 0 0 (Bug fix: syntax specification of sid parameter was wrong: it was inconsistent with the type) A
22 -261.8 M
(specified in the main text \(the bug introduced in -07 draft\). ) S
11 -272.4 M
gsave
0 setgray
newpath
11.0 -272.37 2.75 0 360 arc
closepath
fill
grestore
22 -276 M
3.10798 0 32 0 0 (Terminologies for headers are changed to be in harmony with httpbis drafts \(e.g. field to) A
22 -289.2 M
(parameter\). ) S
11 -299.8 M
gsave
0 setgray
newpath
11.0 -299.77002 2.75 0 360 arc
closepath
fill
grestore
22 -303.4 M
0.572115362 0 32 0 0 (Syntax definitions are changed to use HTTP-extended ABNF syntax, and only the header values) A
22 -316.6 M
(are shown for header syntax, in harmony with httpbis drafts. ) S
11 -327.2 M
gsave
0 setgray
newpath
11.0 -327.170044 2.75 0 360 arc
closepath
fill
grestore
22 -330.8 M
4.2080965 0 32 0 0 (Names of parameters and corresponding mathematical values are now renamed to more) A
22 -344 M
(informative ones. The following list shows correspondence between the new and the old names. ) S
74.5 -372.3 M
11 2 Nf
(new ) S
(name) S
130.2 -372.3 M
11 2 Nf
(old ) S
(name) S
179.4 -372.3 M
11 2 Nf
(description) S
74.5 -392.1 M
11 0 Nf
(S) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(S) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
0.0 -2.2 RM
130.2 -392.1 M
11 0 Nf
(s) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(a) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(s) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(b) S
0.0 2.2 RM
1.5 0.0 RM
0.0 -2.2 RM
179.4 -393.2 M
11 0 Nf
(client/server-side secret ) S
(randoms) S
74.5 -414 M
11 0 Nf
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c1) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(K) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s1) S
0.0 2.2 RM
1.5 0.0 RM
0.0 -2.2 RM
130.2 -414 M
11 0 Nf
(w) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(a) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(w) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(b) S
0.0 2.2 RM
1.5 0.0 RM
0.0 -2.2 RM
179.4 -415.1 M
11 0 Nf
(client/server-side exchanged key ) S
(components) S
74.5 -436 M
(kc1, ) S
(ks1) S
130.2 -436 M
(wa, ) S
(wb) S
179.4 -436 M
(parameter names for ) S
(those) S
74.5 -455.7 M
11 0 Nf
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(c) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(VK) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(s) S
0.0 2.2 RM
1.5 0.0 RM
0.0 -2.2 RM
130.2 -455.7 M
11 0 Nf
(o) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(a) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
(, ) S
(o) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(b) S
0.0 2.2 RM
1.5 0.0 RM
0.0 -2.2 RM
179.4 -456.8 M
11 0 Nf
(client/server-side key ) S
(verifiers) S
74.5 -477.7 M
(vkc, ) S
(vks) S
130.2 -477.7 M
(oa, ) S
(ob) S
179.4 -477.7 M
(parameter names for ) S
(those) S
74.5 -497.4 M
(z) S
130.2 -497.4 M
(z) S
179.4 -497.4 M
(session ) S
(secrets) S
0 -514.1 M
[/View [/XYZ -4 242.849976 null] /Dest /142 /DEST pdfmark
0 -514.1 M
[/View [/XYZ -4 242.849976 null] /Dest /143 /DEST pdfmark
0 -533.1 M
15 2 Nf
(B.5.) S
[/View [/XYZ -4 241.849976 null] /Dest /222 /DEST pdfmark
( Changes in Revision ) S
(09) S
11 -553.7 M
gsave
0 setgray
newpath
11.0 -553.720032 2.75 0 360 arc
closepath
fill
grestore
22 -557.4 M
11 0 Nf
(The \(default\) cryptographic algorithms are separated to another draft. ) S
11 -567.9 M
gsave
0 setgray
newpath
11.0 -567.920044 2.75 0 360 arc
closepath
fill
grestore
22 -571.6 M
0.865104139 0 32 0 0 (Names of the messages are changed to more informative ones than before. The following is the) A
22 -584.8 M
(correspondence table of those ) S
(names:) S
49.7 -613.1 M
11 2 Nf
(new ) S
(name) S
140 -613.1 M
11 2 Nf
(old ) S
(name) S
221.3 -613.1 M
11 2 Nf
(description) S
49.7 -632.8 M
11 0 Nf
(401-INIT) S
140 -632.8 M
(401-B0) S
221.3 -632.8 M
(initial ) S
(response) S
49.7 -652.6 M
(401-STALE) S
140 -652.6 M
(401-B0-stale) S
221.3 -652.6 M
(session key ) S
(expired) S
221.3 -652.6 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 33 -) S
0 setgray
442.6 -8 M
grestore
pgsave restore N
%%Page: 34 34
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
49.7 -14 M
%%IncludeResource: font Times-Roman
11 0 Nf
(req-KEX-C1) S
140 -14 M
(req-A1) S
221.3 -14 M
(client->server key ) S
(exchange) S
49.7 -33.8 M
(401-KEX-S1) S
140 -33.8 M
(401-B1) S
221.3 -33.8 M
(server->client key ) S
(exchange) S
49.7 -53.5 M
(req-VFY-C) S
140 -53.5 M
(req-A3) S
221.3 -53.5 M
(client->server auth. ) S
(verification) S
49.7 -73.2 M
(200-VFY-S) S
140 -73.2 M
(200-B4) S
221.3 -73.2 M
(server->client auth. ) S
(verification) S
49.7 -93 M
(200-Optional-INIT) S
140 -93 M
(200-Optional-B0) S
221.3 -93 M
(initial with non-mandatory ) S
(authentication) S
0 -109.8 M
[/View [/XYZ -4 647.25 null] /Dest /144 /DEST pdfmark
0 -109.8 M
[/View [/XYZ -4 647.25 null] /Dest /145 /DEST pdfmark
0 -128.8 M
%%IncludeResource: font Times-Bold
15 2 Nf
(B.6.) S
[/View [/XYZ -4 646.25 null] /Dest /223 /DEST pdfmark
( Changes in Revision ) S
(08) S
11 -149.3 M
gsave
0 setgray
newpath
11.0 -149.32 2.75 0 360 arc
closepath
fill
grestore
22 -152.9 M
11 0 Nf
(The English text has been revised. ) S
0 -163.9 M
[/View [/XYZ -4 593.05 null] /Dest /146 /DEST pdfmark
0 -163.9 M
[/View [/XYZ -4 593.05 null] /Dest /147 /DEST pdfmark
0 -182.9 M
15 2 Nf
(B.7.) S
[/View [/XYZ -4 592.05 null] /Dest /224 /DEST pdfmark
( Changes in Revision ) S
(07) S
11 -203.5 M
gsave
0 setgray
newpath
11.0 -203.52 2.75 0 360 arc
closepath
fill
grestore
22 -207.2 M
11 0 Nf
(Adapt to httpbis HTTP/1.1 drafts: ) S
33 -217.7 M
gsave
0 setgray
newpath
33.0 -217.72 2.75 0 360 arc
closepath
stroke
grestore
44 -221.3 M
(Changed definition of extensive-token. ) S
33 -231.9 M
gsave
0 setgray
newpath
33.0 -231.92 2.75 0 360 arc
closepath
stroke
grestore
44 -235.5 M
(LWSP continuation-line \(%0D.0A.20\) ) S
(deprecated.) S
11 -246.1 M
gsave
0 setgray
newpath
11.0 -246.12 2.75 0 360 arc
closepath
fill
grestore
22 -249.7 M
2.78605771 0 32 0 0 (To simplify the whole spec, the type of nonce-counter related parameters are change from) A
22 -262.9 M
(hex-integer to integer. ) S
11 -273.5 M
gsave
0 setgray
newpath
11.0 -273.52 2.75 0 360 arc
closepath
fill
grestore
22 -277.1 M
(Algorithm tokens are renamed to include names of hash algorithms. ) S
11 -287.7 M
gsave
0 setgray
newpath
11.0 -287.72 2.75 0 360 arc
closepath
fill
grestore
22 -291.4 M
(Clarified the session management, added details of server-side protocol decisions. ) S
11 -301.9 M
gsave
0 setgray
newpath
11.0 -301.92 2.75 0 360 arc
closepath
fill
grestore
22 -305.6 M
(The whole draft was reorganized; introduction and overview has been rewritten. ) S
0 -316.6 M
[/View [/XYZ -4 440.449982 null] /Dest /148 /DEST pdfmark
0 -316.6 M
[/View [/XYZ -4 440.449982 null] /Dest /149 /DEST pdfmark
0 -335.6 M
15 2 Nf
(B.8.) S
[/View [/XYZ -4 439.449982 null] /Dest /225 /DEST pdfmark
( Changes in Revision ) S
(06) S
11 -356.1 M
gsave
0 setgray
newpath
11.0 -356.120026 2.75 0 360 arc
closepath
fill
grestore
22 -359.8 M
11 0 Nf
(Integrated Optional Mutual Authentication to the main part. ) S
11 -370.3 M
gsave
0 setgray
newpath
11.0 -370.320038 2.75 0 360 arc
closepath
fill
grestore
22 -374 M
(Clarified the decision procedure for message recognitions. ) S
11 -384.5 M
gsave
0 setgray
newpath
11.0 -384.52005 2.75 0 360 arc
closepath
fill
grestore
22 -388.2 M
2.05649042 0 32 0 0 (Clarified that a new authentication request for any sub-requests in interactive clients may be) A
22 -401.4 M
(silently discarded. ) S
11 -411.9 M
gsave
0 setgray
newpath
11.0 -411.920074 2.75 0 360 arc
closepath
fill
grestore
22 -415.6 M
(Typos and confusing phrases are fixed. ) S
11 -426.1 M
gsave
0 setgray
newpath
11.0 -426.120087 2.75 0 360 arc
closepath
fill
grestore
22 -429.8 M
(Several "future considerations" are ) S
(added.) S
0 -440.8 M
[/View [/XYZ -4 316.249908 null] /Dest /150 /DEST pdfmark
0 -440.8 M
[/View [/XYZ -4 316.249908 null] /Dest /151 /DEST pdfmark
0 -459.8 M
15 2 Nf
(B.9.) S
[/View [/XYZ -4 315.249908 null] /Dest /226 /DEST pdfmark
( Changes in Revision ) S
(05) S
11 -480.3 M
gsave
0 setgray
newpath
11.0 -480.320099 2.75 0 360 arc
closepath
fill
grestore
22 -484 M
11 0 Nf
1.64753604 0 32 0 0 (A new parameter called "version" is added for supporting future incompatible changes with a) A
22 -497.2 M
(single implementation. In the \(first\) final specification its value will be changed to 1. ) S
11 -507.7 M
gsave
0 setgray
newpath
11.0 -507.720123 2.75 0 360 arc
closepath
fill
grestore
22 -511.4 M
4.55546856 0 32 0 0 (A new header "Authentication-Control" is added for precise control of application-level) A
22 -524.6 M
(authentication ) S
(behavior.) S
0 -535.6 M
[/View [/XYZ -4 221.44989 null] /Dest /152 /DEST pdfmark
0 -535.6 M
[/View [/XYZ -4 221.44989 null] /Dest /153 /DEST pdfmark
0 -554.6 M
15 2 Nf
(B.10.) S
[/View [/XYZ -4 220.44989 null] /Dest /227 /DEST pdfmark
( Changes in Revision ) S
(04) S
11 -575.1 M
gsave
0 setgray
newpath
11.0 -575.120117 2.75 0 360 arc
closepath
fill
grestore
22 -578.8 M
11 0 Nf
0.166145831 0 32 0 0 (Changed text of patent licenses: the phrase "once the protocol is accepted as an Internet standard") A
22 -592 M
(is removed so that the sentence also covers the draft versions of this protocol. ) S
11 -602.5 M
gsave
0 setgray
newpath
11.0 -602.520142 2.75 0 360 arc
closepath
fill
grestore
22 -606.2 M
(The "tls-key" verification is now OPTIONAL. ) S
11 -616.7 M
gsave
0 setgray
newpath
11.0 -616.720154 2.75 0 360 arc
closepath
fill
grestore
22 -620.4 M
(Several description fixes and ) S
(clarifications.) S
0 -631.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 34 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%Page: 35 35
%%PageResources: font Times-Roman Times-Bold Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /154 /DEST pdfmark
0 0 M
[/View [/XYZ -4 757.0 null] /Dest /155 /DEST pdfmark
0 -18 M
%%IncludeResource: font Times-Bold
15 2 Nf
(B.11.) S
[/View [/XYZ -4 757.0 null] /Dest /228 /DEST pdfmark
( Changes in Revision ) S
(03) S
11 -38.6 M
gsave
0 setgray
newpath
11.0 -38.57 2.75 0 360 arc
closepath
fill
grestore
22 -42.2 M
%%IncludeResource: font Times-Roman
11 0 Nf
0.957465291 0 32 0 0 (Wildcard domain specifications \(e.g. "*.example.com"\) are allowed for auth-domain parameters ) A
22 -55.4 M
(\() S
gsave
newpath
25.7 -56.5 M
49.4882812 0 RL
stroke
grestore
(Section\2404.1) S
[/Rect [24.6601562 -58.15 76.1484375 -46.0500031] /Subtype /Link /Border [0 0 0] /Dest /50 /ANN pdfmark
(\). ) S
11 -66 M
gsave
0 setgray
newpath
11.0 -65.97 2.75 0 360 arc
closepath
fill
grestore
22 -69.6 M
(Specification of the "tls-cert" verification is updated \(incompatible change\). ) S
11 -80.2 M
gsave
0 setgray
newpath
11.0 -80.1700058 2.75 0 360 arc
closepath
fill
grestore
22 -83.8 M
(State transitions fixed. ) S
11 -94.4 M
gsave
0 setgray
newpath
11.0 -94.37 2.75 0 360 arc
closepath
fill
grestore
22 -98 M
11 0 Nf
(Requirements for servers concerning ) S
(w) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(a) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( values are clarified. ) S
0.0 -2.2 RM
11 -110.8 M
gsave
0 setgray
newpath
11.0 -110.77 2.75 0 360 arc
closepath
fill
grestore
22 -114.4 M
(RFC references are ) S
(updated.) S
0 -125.4 M
[/View [/XYZ -4 631.6 null] /Dest /156 /DEST pdfmark
0 -125.4 M
[/View [/XYZ -4 631.6 null] /Dest /157 /DEST pdfmark
0 -144.4 M
15 2 Nf
(B.12.) S
[/View [/XYZ -4 630.6 null] /Dest /229 /DEST pdfmark
( Changes in Revision ) S
(02) S
11 -165 M
gsave
0 setgray
newpath
11.0 -164.97 2.75 0 360 arc
closepath
fill
grestore
22 -168.6 M
11 0 Nf
(Auth-realm is extended to allow full-scheme type. ) S
11 -179.2 M
gsave
0 setgray
newpath
11.0 -179.17 2.75 0 360 arc
closepath
fill
grestore
22 -182.8 M
(A decision diagram for clients and decision procedures for servers are added. ) S
11 -193.4 M
gsave
0 setgray
newpath
11.0 -193.37 2.75 0 360 arc
closepath
fill
grestore
22 -197 M
(401-B1 and req-A3 messages are changed to contain authentication realm information. ) S
11 -207.6 M
gsave
0 setgray
newpath
11.0 -207.569992 2.75 0 360 arc
closepath
fill
grestore
22 -211.2 M
11 0 Nf
(Bugs on equations for ) S
(o) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(A) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( and ) S
(o) S
1.2 0.0 RM
0.0 -2.2 RM
8.36798 0 Nf
(B) S
0.0 2.2 RM
1.5 0.0 RM
11 0 Nf
( are fixed. ) S
0.0 -2.2 RM
11 -224 M
gsave
0 setgray
newpath
11.0 -223.969986 2.75 0 360 arc
closepath
fill
grestore
22 -227.6 M
(Detailed equations for the entire algorithm are included. ) S
11 -238.2 M
gsave
0 setgray
newpath
11.0 -238.169983 2.75 0 360 arc
closepath
fill
grestore
22 -241.8 M
(Elliptic-curve algorithms are updated. ) S
11 -252.4 M
gsave
0 setgray
newpath
11.0 -252.36998 2.75 0 360 arc
closepath
fill
grestore
22 -256 M
(Several clarifications and other minor ) S
(updates.) S
0 -267 M
[/View [/XYZ -4 490.000031 null] /Dest /158 /DEST pdfmark
0 -267 M
[/View [/XYZ -4 490.000031 null] /Dest /159 /DEST pdfmark
0 -286 M
15 2 Nf
(B.13.) S
[/View [/XYZ -4 489.000031 null] /Dest /230 /DEST pdfmark
( Changes in Revision ) S
(01) S
11 -306.6 M
gsave
0 setgray
newpath
11.0 -306.569977 2.75 0 360 arc
closepath
fill
grestore
22 -310.2 M
11 0 Nf
(Several texts are rewritten for clarification. ) S
11 -320.8 M
gsave
0 setgray
newpath
11.0 -320.77 2.75 0 360 arc
closepath
fill
grestore
22 -324.4 M
(Added several security consideration ) S
(clauses.) S
0 -335.4 M
[/View [/XYZ -4 421.6 null] /Dest /160 /DEST pdfmark
0 -354.4 M
15 2 Nf
(Authors') S
[/View [/XYZ -4 420.6 null] /Dest /231 /DEST pdfmark
( ) S
(Addresses) S
0 -379.7 M
11 0 Nf
(\240) S
44.6 -379.7 M
(Yutaka ) S
(Oiwa) S
0 -393.4 M
(\240) S
44.6 -393.4 M
(National Institute of Advanced Industrial Science and ) S
(Technology) S
0 -407.2 M
(\240) S
44.6 -407.2 M
(Research Institute for Secure ) S
(Systems) S
0 -420.9 M
(\240) S
44.6 -420.9 M
(Tsukuba Central ) S
(2) S
0 -434.7 M
(\240) S
44.6 -434.7 M
(1-1-1 ) S
(Umezono) S
0 -448.4 M
(\240) S
44.6 -448.4 M
(Tsukuba-shi, ) S
(Ibaraki) S
0 -462.2 M
(\240) S
44.6 -462.2 M
(JP) S
12.6 -475.9 M
(Email:\240) S
44.6 -475.9 M
gsave
newpath
44.6 -477.1 M
154.285156 0 RL
stroke
grestore
(mutual-auth-contact-ml@aist.go.jp) S
0 -489.7 M
(\240) S
44.6 -489.7 M
(\240) S
0 -503.4 M
(\240) S
44.6 -503.4 M
(Hajime ) S
(Watanabe) S
0 -517.2 M
(\240) S
44.6 -517.2 M
(National Institute of Advanced Industrial Science and ) S
(Technology) S
0 -530.9 M
(\240) S
44.6 -530.9 M
(\240) S
0 -544.7 M
(\240) S
44.6 -544.7 M
(Hiromitsu ) S
(Takagi) S
0 -558.4 M
(\240) S
44.6 -558.4 M
(National Institute of Advanced Industrial Science and ) S
(Technology) S
0 -572.2 M
(\240) S
44.6 -572.2 M
(\240) S
0 -585.9 M
(\240) S
44.6 -585.9 M
(Boku ) S
(Kihara) S
0 -599.7 M
(\240) S
44.6 -599.7 M
(Lepidum Co. ) S
(Ltd.) S
0 -613.4 M
(\240) S
44.6 -613.4 M
(#602, Village Sasazuka ) S
(3) S
0 -627.2 M
(\240) S
44.6 -627.2 M
(1-30-3 ) S
(Sasazuka) S
0 -640.9 M
(\240) S
44.6 -640.9 M
(Shibuya-ku, ) S
(Tokyo) S
0 -654.7 M
(\240) S
44.6 -654.7 M
(JP) S
0 -668.4 M
(\240) S
44.6 -668.4 M
(\240) S
44.6 -668.4 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 35 -) S
0 setgray
89.3 -8 M
grestore
pgsave restore N
%%Page: 36 36
%%PageResources: font Times-Roman Helvetica
%%BeginPageSetup
/pgsave save D
71 757 translate
%%EndPageSetup
0 0 M
0.6 setlinewidth
0 -11 M
%%IncludeResource: font Times-Roman
11 0 Nf
(\240) S
44.6 -11 M
(Tatsuya ) S
(Hayashi) S
0 -24.8 M
(\240) S
44.6 -24.8 M
(Lepidum Co. ) S
(Ltd.) S
0 -38.5 M
(\240) S
44.6 -38.5 M
(\240) S
0 -52.2 M
(\240) S
44.6 -52.2 M
(Yuichi ) S
(Ioku) S
0 -66 M
(\240) S
44.6 -66 M
(Yahoo! Japan, ) S
(Inc.) S
0 -79.8 M
(\240) S
44.6 -79.8 M
(Midtown ) S
(Tower) S
0 -93.5 M
(\240) S
44.6 -93.5 M
(9-7-1 ) S
(Akasaka) S
0 -107.2 M
(\240) S
44.6 -107.2 M
(Minato-ku, ) S
(Tokyo) S
0 -121 M
(\240) S
44.6 -121 M
(JP) S
0 -134.8 M
gsave
0 setgray
217.7 -712 M
%%IncludeResource: font Helvetica
8 8 Nf
(- 36 -) S
0 setgray
0 -8 M
grestore
pgsave restore N
%%EOF
| PAFTECH AB 2003-2026 | 2026-04-24 16:10:02 |