Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme

Mark Nottingham <mnot@mnot.net> Wed, 08 June 2011 03:26 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDE9F11E807C; Tue, 7 Jun 2011 20:26:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U-6trkkkAyGs; Tue, 7 Jun 2011 20:26:19 -0700 (PDT)
Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by ietfa.amsl.com (Postfix) with ESMTP id 720B211E8072; Tue, 7 Jun 2011 20:26:19 -0700 (PDT)
Received: from chancetrain-lm.mnot.net (unknown [203.122.208.196]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id DB368509D9; Tue, 7 Jun 2011 23:26:09 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <BANLkTinGkTF35e9RQKjnR8=osZcNw5-8BQ@mail.gmail.com>
Date: Wed, 8 Jun 2011 13:26:05 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <3D7340ED-C6F5-464D-BD14-1A606B7D8228@mnot.net>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <00f101cc255e$2d426020$87c72060$@packetizer.com> <BANLkTimn8c72p5bjwHNapW9kVCVBmNbC4w@mail.gmail.com> <1307486600.48324.YahooMailNeo@web31808.mail.mud.yahoo.com> <BANLkTi==5LjD7vW74tqB_sbSHrLjsJE6+A@mail.gmail.com> <4DEEAD76.2090800@adida.net> <BANLkTik7LyPWssAb0EBmx11hK53hiwgmrA@mail.gmail.com> <20110607234131.GI1565@sentinelchicken.org> <1307500800.70339.YahooMailNeo@web31810.mail.mud.yahoo.com> <BANLkTinGkTF35e9RQKjnR8=osZcNw5-8BQ@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>, "William J. Mills" <wmills@yahoo-inc.com>, Tim <tim-projects@sentinelchicken.org>
X-Mailer: Apple Mail (2.1084)
Cc: HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>, "apps-discuss@ietf.org Discuss" <apps-discuss@ietf.org>, http-state@ietf.org
Subject: Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "apps-discuss@ietf.org Discuss" <apps-discuss@ietf.org>
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2011 03:26:21 -0000

This is an interesting discussion, but a bit much to cross-post to four different lists. 

I've set followups to apps-discuss (since it's the most general).

Cheers,


On 08/06/2011, at 1:17 PM, Nico Williams wrote:

> On Tue, Jun 7, 2011 at 9:40 PM, William J. Mills <wmills@yahoo-inc.com> wrote:
>> It is possible to implement decent security with MAC, it is also possible to
> 
> Not as specified.  See earlier posts regarding active attacks.
> 
>> screw it up.  It is far more difficult (impossible?) to implement decent
>> security with cookies over HTTP.
> 
> Assuming well-behaved browsers that understand the distinction between
> "secure" and non-secure cookies, and assuming that active attacks are
> often no more difficult than passive attacks, what does MAC without
> TLS add that cookies don't provide?
> 
> Nico
> --
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss

--
Mark Nottingham   http://www.mnot.net/