= Resetting the Account =
The current stub just submits (newPassword, wrap(kB), resetToken). This will be replaced soon.
resetAccount() needs request confidentiality, since the arguments include the newly wrapped kB value and the new SRP verifier, both of which enable a brute-force attack against the password. HAWK provides request integrity. The response is a single "ok" or "fail", conveyed by the HTTP headers, so we do not require response confidentiality, and can live without response integrity.
The request data will contain kA, wrap(kB), a new (randomly-generated) SRP salt, and the new SRP verifier, all concatenated together. The first two three pieces are fixed-length. We generate enough reqXORkey bytes to cover all three four values.
[[File:PICL-IdPAuth-resetAccount.png|Deriving the resetAccount Keys]]