All your individual answers make sense. Taken together, tho, they make HTTP-NG worrisome on the crypto front. For example, it's probably a real bad idea to replace DES with something commonly called RC4. The former has been under public scrutiny for years, the later still has not formally emerged from the shroud of trade secret. The keyed MD5 responses also don't inspire confidence. With all due respect, I strongly encourage you to leave crypto out of HTTP-NG for the time being. Wait to see what happens from the various IPng security, SSL, S-HTTP, the W3C work, et cetera. Leave some "holes" in the protocol, but don't tie anything down now. For better for the Web to wait six to 12 months for HTTP-NG, then for mistakes to occur in this area. /r$