OK, I know it's still in draft, and my understanding may be faulty but... Isn't it currently possible to reassociate a session with a different username/password? Wouldn't this approach break this capability? Feel free to tell me if I'm totally out to lunch... Jason