Public Review Draft - Authentication Mechanism

Darran Lofthouse

I provided some feedback earlier this year but I suspect it may have been a long e-mail, I still have some comments on the latest specification.

At the moment an authentication mechanism is described as interacting to the caller to obtain credentials and then invoking an identity store to match the credentials to a known identity.

This seems like an over simplification of the challenge response nature of many mechanisms, some mechanisms do result in credentials being passed from a caller to a server but in many cases the mechanism actually only receives a  response to a challenge.

The description also covers the case where a match is not found but I don't see a mention of situations where a response is valid but the client just needs to resubmit based on a new challenge.

Darran Lofthouse.