Hi, On 24/04/18 17:30, Richard Barnes wrote: >> 8.3. HTTP Challenge >> >> On receiving a response, the server constructs and stores the key >> authorization from the challenge "token" value and the current client >> account key. >> >> I'm not sure this storage step is necessary, or even visible in the >> protocol operation. (E.g., the server can calculate the key >> authorization at any time that it needs to know the value.) So you >> might want to remove this sentence. >> > There's no harm in storing it; servers can make their own decisions. Storing the key authorization avoids interference between a pending authorization and an account key roll-over. Best, Sophie
