Re: [apps-discuss] [http-state] HTTP MAC Authentication Scheme

Adam Barth <ietf@adambarth.com> Tue, 07 June 2011 21:24 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 346F41F0C36; Tue, 7 Jun 2011 14:24:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.727
X-Spam-Level:
X-Spam-Status: No, score=-4.727 tagged_above=-999 required=5 tests=[AWL=-1.750, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vqAO8ic83vEo; Tue, 7 Jun 2011 14:24:43 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7BABC1F0657; Tue, 7 Jun 2011 14:24:43 -0700 (PDT)
Received: by iyn15 with SMTP id 15so6346666iyn.31 for <multiple recipients>; Tue, 07 Jun 2011 14:24:42 -0700 (PDT)
Received: by 10.42.1.82 with SMTP id 18mr11300549icf.274.1307481882488; Tue, 07 Jun 2011 14:24:42 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id w11sm2321212ibw.41.2011.06.07.14.24.41 (version=SSLv3 cipher=OTHER); Tue, 07 Jun 2011 14:24:41 -0700 (PDT)
Received: by iyn15 with SMTP id 15so6346595iyn.31 for <multiple recipients>; Tue, 07 Jun 2011 14:24:41 -0700 (PDT)
Received: by 10.42.177.4 with SMTP id bg4mr10324481icb.164.1307481881104; Tue, 07 Jun 2011 14:24:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.42.229.196 with HTTP; Tue, 7 Jun 2011 14:24:10 -0700 (PDT)
In-Reply-To: <BANLkTimB6F17OfC7J6jccDsd6Zv0T6tE3w@mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <BANLkTimNNwqs2VKM67V9NcBUV1ztvrqe3Q@mail.gmail.com> <BANLkTimB6F17OfC7J6jccDsd6Zv0T6tE3w@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Tue, 7 Jun 2011 14:24:10 -0700
Message-ID: <BANLkTin7zQ2S_gO=dzrBd7Vn4i9AKuSe6A@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: apps-discuss@ietf.org, Ben Adida <ben@adida.net>, http-state@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
Subject: Re: [apps-discuss] [http-state] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2011 21:24:44 -0000

On Tue, Jun 7, 2011 at 2:17 PM, Nico Williams <nico@cryptonector.com> wrote:
> On Tue, Jun 7, 2011 at 1:30 PM, Adam Barth <ietf@adambarth.com> wrote:
>> On Tue, Jun 7, 2011 at 10:35 AM, Nico Williams <nico@cryptonector.com> wrote:
>>> I'm completely on-board with session state[*].  My comments were
>>> particularly in regards to threat models.  I believe that
>>> eavesdroppers and active attackers both need to be considered,
>>> particularly as we have so many open wifi networks.
>>
>> Sorry.  We can't address active attackers using this mechanism.  If
>> you need protection from active attackers, please use TLS.
>
> I've already said as much now several times.  However, I want channel
> binding to TLS too.

I'm not sure that's appropriate for this mechanism.  What problem does
channel binding solve?

Adam


>>> To me the simplest way to address the Internet threat model is to
>>> always use TLS (except, maybe, for images and such elements that have
>>> little or no security value, though one must be careful when making
>>> that determination) and to use channel binding.  See the I-D
>>> referenced below.
>>
>> Indeed.  This mechanism is for folks who cannot or will not deploy TLS.
>
> It has value outside TLS as well.  Particularly if you're using an
> authentication mechanism that can provide mutual authentication (which
> OAuth doesn't do today, but I hear there's work in progress to add
> mutual auth to it).  And then you realize that you might want to do
> something similar with other non-OAuth authentication methods, thus
> the urge to generalize.
>
> Nico
> --
>