Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme

Dzonatas Sol <dzonatas@gmail.com> Wed, 08 June 2011 16:00 UTC

Return-Path: <dzonatas@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5A91228010 for <apps-discuss@ietfa.amsl.com>; Wed, 8 Jun 2011 09:00:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.932
X-Spam-Level:
X-Spam-Status: No, score=-5.932 tagged_above=-999 required=5 tests=[AWL=-2.333, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YswIOuUkSal1 for <apps-discuss@ietfa.amsl.com>; Wed, 8 Jun 2011 09:00:06 -0700 (PDT)
Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 6D83D11E8142 for <apps-discuss@ietf.org>; Wed, 8 Jun 2011 09:00:06 -0700 (PDT)
Received: by pwi5 with SMTP id 5so346758pwi.31 for <apps-discuss@ietf.org>; Wed, 08 Jun 2011 09:00:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=QgmZULgfsgtXWSAPm9ZK5R8N7oajwHr+8LQeJDWJ6HY=; b=FlHcYE09h47dPw6/K1pkeyPhTwKcZiCYowWGrD6l7bZ30VaYG+IUo6bH0B5T0IDeIe 9JH8q+D6TZ9FpHO/x38iU0cFYV3uA683xwKyIIaG6LpeqExO9lHfYZAGyq8iq1W1k+He Lwz3IhrcebweTL0Q6dCOA2j8dPSh5Ssqdgl2U=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=q4TFbfb9/3sMaLEnaXSI5/BcGlSNCZYOu2t0xsBR2NatcDr6MGcm8162KktxavKVFc Ir4PqSQaZ11H4S+sSETCrgSo5XguPNIJWnrqd2aLgffHzH7fY3axp9DAtye5MUaTsGcb /kOdZ5L77oqiFaURELOfqAw9+qNIPuKk2QBuo=
Received: by 10.68.24.65 with SMTP id s1mr921433pbf.35.1307548806125; Wed, 08 Jun 2011 09:00:06 -0700 (PDT)
Received: from [192.168.0.50] ([70.133.70.225]) by mx.google.com with ESMTPS id k4sm605073pbl.75.2011.06.08.09.00.04 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 08 Jun 2011 09:00:05 -0700 (PDT)
Message-ID: <4DEF9C53.4060306@gmail.com>
Date: Wed, 08 Jun 2011 08:59:15 -0700
From: Dzonatas Sol <dzonatas@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20110505 Icedove/3.0.11
MIME-Version: 1.0
To: apps-discuss@ietf.org
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <00f101cc255e$2d426020$87c72060$@packetizer.com> <BANLkTimn8c72p5bjwHNapW9kVCVBmNbC4w@mail.gmail.com> <1307486600.48324.YahooMailNeo@web31808.mail.mud.yahoo.com> <BANLkTi==5LjD7vW74tqB_sbSHrLjsJE6+A@mail.gmail.com> <4DEEAD76.2090800@adida.net> <BANLkTik7LyPWssAb0EBmx11hK53hiwgmrA@mail.gmail.com> <20110607234131.GI1565@sentinelchicken.org> <1307500800.70339.YahooMailNeo@web31810.mail.mud.yahoo.com>
In-Reply-To: <1307500800.70339.YahooMailNeo@web31810.mail.mud.yahoo.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2011 16:00:08 -0000

On 06/07/2011 07:40 PM, William J. Mills wrote:
> It is far more difficult (impossible?) to implement decent security 
> with cookies over HTTP.
>

Especially, when any addition of security cookies may cause HTTP status 
code 203 and even more-so in idempotent expectations.

Possible workaround if MAC or GSS can be encapsulted/transformed into 
S/MIME multiparts/mixed streams, which is where I think the cookies 
should move-into and leave the origin header alone.

-- 
--- https://twitter.com/Dzonatas_Sol ---
Web Development, Software Engineering, Virtual Reality, Consultant