Hi I've shown this draft to a co-worker of mine (not on this list), and asked for a review. Here's some comments:
- Overall, this is an interesting problem. - The document is missing a list of deficiencies with using Cookies - Section 2.1 says that TLS protects against replay. Really? How? It doesn't have a protected counter like IPsec. - Will the resulting protocol support a transition from authenticated session to authenticated session for purposes such as re-authenticating after a specified time, or moving from weak authentication to strong authentication for high-value transactions. Nit: HTTP is HyperText **Transfer** Protocol, not **Transport*. This one is already fixed in Nico's repository. Yoav _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
