On Wed, Nov 04, 2009 at 01:01:53AM +0100, Martin Rex wrote: > Nicolas Williams wrote: > > Why is that a problem? The request will have named a document, but if > > you're using confidentiality protection then so what? The client knows > > the document name, and so does the server. Authorization _correctly_ > > happens when the access request is made. That the necessary user > > authentication step is delayed until authorization is needed doesn't > > strike me as a problem -- it's a feature. > > You are barking up the wrong tree. > > The flaw in Microsoft IIS is, that it's server-side session cache is > somehow broken. Once it has forced the client through a renegotiate, > it should memorize what the client sent as response to the > CertificateRequest message (either a client cert or the indication > that it doesn't have one or doesn't want to send one). Ah, sure, that sounds like a bug. Nico --
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.