> > btw, can you provide details of your proposal that you gave 1995? > > And what was Dave's proposal in 1992? > Does it? The Auth-ID is still transmitted in the clear, exposing it to > everything between the server and the client. And expiration wouldn't See the content of Auth-ID in light of the proposal given earlier (see above) where this ID : 1. may be encoded / encrypted (as required) 2. has an algorithm for generation - which may include IP addresses of both the parties etc 3. obviously, has some data that is specific to the server (that does session management). This is the private part of the ID which, again, may be en-coded/crypted. -- Cheers, Gaurav Vaish http://www.mastergaurav.org http://mastergaurav.blogspot.com -------------------------------- _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf