(LAST CALL) Re: Implicit server authentication: Proposed clarification

[Bill Sommerfeld <sommerfeld%east.sun.com@localhost>]

[Sorry for the delay in dealing with this loose end.]

Seeing no further followup to this thread, I'm going to suggest a
slight modification to Niels's text:

He wrote:
   All currently defined key exchange methods use explicit server
   authentication.  

This is a little vague for my tastes; I'd say 

   The key exchange method defined in this documents use explicit server 
   authentication.

.. and then have dh-group-exchange and gsskeyex say the same..

This makes the change the following:

Before:

   Server authentication in the key exchange MAY be implicit.  After a
   key exchange with implicit server authentication, the client MUST
   wait for response to its service request message before sending any
   further data.

After:

   A key exchange method uses "explicit server authentication" if the
   key exchange messages include a signature or other proof of the
   server's authenticity.  A key exchange method uses "implicit server
   authentication" if, in order to prove its autenticity, the server
   also has to prove that it knows the shared secret K, by sending a
   message and a corresponding MAC which the client can verify. [1]

   The key exchange method defined by this document uses explicit server 
   authentication.  However, key exchange methods with implicit server
   authentication MAY be used with this protocol.  After a key exchange
   with implicit server authentication, the client MUST wait for
   response to its service request message before sending any further
   data.

Please send comments on this proposed change to the WG list by Monday,
January 4th, 2004.

					- Bill