The remote-tok thing doesn't work because at this point it is already too late as the server (read a potential MiM attacker) already receiced the token. I think the server needs to be authenticated before the clients sends the tok. Or am I misunderstanding the problem? Maybe the client could at the very least verify that the certificate hasn't changed?
_______________________________________________ Standards mailing list Info: http://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
