One thing which could be misinterpreted
Key-info: KerberosIV-session-key
This is intended to convey that the server is telling the client to use the
Kerberos session key for encryption; *not* that either party should actually
quote the key over HTTP. This would be very, very silly. Actually, thinking
about my later comments, I really want a method for preceding each
request/reply with a header which says that the following text is encrypted
(or not) and the mechanism used.
Also, while I said that a Can-authenticate header should not default to "None"
(so that a very secure server can clearly insist on authentication), browsers
should treat the *absence* of Can-authenticate as "None", to cope with older
servers.
Flame away. :-)
Peter Lister Email: [email protected]
Computer Centre, Cranfield University Voice: +44 234 754200 ext 2828
Cranfield, Bedfordshire MK43 0AL UK Fax: +44 234 750875
--- Go stick your head in a pig. (R) Sirius Cybernetics Corporation ---