--- a/toolkit/devtools/security/auth.js
+++ b/toolkit/devtools/security/auth.js
@@ -37,16 +37,21 @@ let AuthenticationResult = exports.Authe
   DISABLE_ALL: null,
 
   /**
    * Deny the current connection.
    */
   DENY: null,
 
   /**
+   * Additional data needs to be exchanged before a result can be determined.
+   */
+  PENDING: null,
+
+  /**
    * Allow the current connection.
    */
   ALLOW: null,
 
   /**
    * Allow the current connection, and persist this choice for future
    * connections from the same client.  This requires a trustable mechanism to
    * identify the client in the future, such as the cert used during OOB_CERT.
@@ -131,27 +136,31 @@ Prompt.Server.prototype = {
    *        {
    *          client: {
    *            host,
    *            port
    *          },
    *          server: {
    *            host,
    *            port
-   *          }
+   *          },
+   *          transport
    *        }
    * @return An AuthenticationResult value.
    *         A promise that will be resolved to the above is also allowed.
    */
-  authenticate(session) {
+  authenticate({ client, server }) {
     if (!Services.prefs.getBoolPref("devtools.debugger.prompt-connection")) {
       return AuthenticationResult.ALLOW;
     }
-    session.authentication = this.mode;
-    return this.allowConnection(session);
+    return this.allowConnection({
+      authentication: this.mode,
+      client,
+      server
+    });
   },
 
   /**
    * Prompt the user to accept or decline the incoming connection. The default
    * implementation is used unless this is overridden on a particular
    * authenticator instance.
    *
    * It is expected that the implementation of |allowConnection| will show a
@@ -268,24 +277,41 @@ OOBCert.Server.prototype = {
    *            },
    *          },
    *          server: {
    *            host,
    *            port,
    *            cert: {
    *              sha256
    *            }
-   *          }
+   *          },
+   *          transport
    *        }
    * @return An AuthenticationResult value.
    *         A promise that will be resolved to the above is also allowed.
    */
-  authenticate(session) {
-    session.authentication = this.mode;
-    return this.allowConnection(session);
+  authenticate({ client, server, transport }) {
+    // Step B.3 / C.3
+    // TLS connection established, authentication begins
+    // TODO: Bug 1032128: Consult a list of persisted, approved clients
+    // Step B.4
+    // Server sees that ClientCert is from a unknown client
+    // Tell client they are unknown and should display OOB client UX
+    transport.send({
+      authResult: AuthenticationResult.PENDING
+    });
+
+    // Step B.5
+    // User is shown a Allow / Deny / Always Allow prompt on the Server
+    // with Client name and hash(ClientCert)
+    return this.allowConnection({
+      authentication: this.mode,
+      client,
+      server
+    });
   },
 
   /**
    * Prompt the user to accept or decline the incoming connection. The default
    * implementation is used unless this is overridden on a particular
    * authenticator instance.
    *
    * It is expected that the implementation of |allowConnection| will show a

--- a/toolkit/devtools/security/socket.js
+++ b/toolkit/devtools/security/socket.js
@@ -556,17 +556,18 @@ ServerSocketConnection.prototype = {
     }
 
     this._handshakeDeferred.resolve();
   },
 
   _authenticate: Task.async(function*() {
     let result = yield this._listener.authenticator.authenticate({
       client: this.client,
-      server: this.server
+      server: this.server,
+      transport: this._transport
     });
     switch (result) {
       case AuthenticationResult.DISABLE_ALL:
         DebuggerServer.closeAllListeners();
         Services.prefs.setBoolPref("devtools.debugger.remote-enabled", false);
         return promise.reject(Cr.NS_ERROR_CONNECTION_REFUSED);
       case AuthenticationResult.DENY:
         return promise.reject(Cr.NS_ERROR_CONNECTION_REFUSED);