Re: [apps-discuss] [http-state] HTTP MAC Authentication Scheme
"Paul E. Jones" <paulej@packetizer.com> Thu, 09 June 2011 05:13 UTC
Return-Path: <paulej@packetizer.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAB0B11E80A1; Wed, 8 Jun 2011 22:13:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.599
X-Spam-Level:
X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aWNlOPCX6C02; Wed, 8 Jun 2011 22:13:21 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) by ietfa.amsl.com (Postfix) with ESMTP id B1AE411E808D; Wed, 8 Jun 2011 22:13:20 -0700 (PDT)
Received: from sydney (rrcs-98-101-155-83.midsouth.biz.rr.com [98.101.155.83]) (authenticated bits=0) by dublin.packetizer.com (8.14.4/8.14.4) with ESMTP id p595DCHV024090 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 9 Jun 2011 01:13:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=packetizer.com; s=dublin; t=1307596397; bh=slx2jdY6CfKAWo//nDtH0XhGc+XjcXkUrBdSyGAS4t4=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type:Content-Transfer-Encoding; b=LoFlQNxAfimVGF8/HQnsk92vMbGZdUSpuvjny1jNF8leCFTPBBMcoWbcoStQ7Pnf/ 5ZMMjdWHiCzeCHWWe8FbwAxbpMbWpNZyVAm1cO/urIT0UyikmqhmvBDJNuHSvBlqjH +osK1DrzqWwkUq7zHsQ4FRd1R+HN6lyhmjIW0RXY=
From: "Paul E. Jones" <paulej@packetizer.com>
To: 'Tim' <tim-projects@sentinelchicken.org>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <00f101cc255e$2d426020$87c72060$@packetizer.com> <BANLkTimn8c72p5bjwHNapW9kVCVBmNbC4w@mail.gmail.com> <015801cc25ab$063a2150$12ae63f0$@packetizer.com> <20110608153225.GL1565@sentinelchicken.org>
In-Reply-To: <20110608153225.GL1565@sentinelchicken.org>
Date: Thu, 09 Jun 2011 01:13:04 -0400
Message-ID: <02d101cc2663$eceb6790$c6c236b0$@packetizer.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFyB4gcQBia34uJQdRCExMgck4H0AKYdFzaAoZRr8EBlD5mpAL1HuqcAjoReDABal05/QFg30tslPNKqlA=
Content-Language: en-us
Cc: apps-discuss@ietf.org, http-state@ietf.org, 'HTTP Working Group' <ietf-http-wg@w3.org>, 'OAuth WG' <oauth@ietf.org>
Subject: Re: [apps-discuss] [http-state] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jun 2011 05:13:21 -0000
Tim, > Hi Paul, > > > That's the reason for the MAC. Once we can ensure the integrity of > > the message exchange, then the existing cookie mechanism can provide > > us with the secure state management capability we need. > > Maybe I'm missing something in the MAC authentication draft, but I don't > see how it provides integrity for the "exchange". In particular, the > body of request messages may be optionally hashed to protect their > integrity, but no such facility seems to be provided for responses from > the server. In many modern web applications, this could be trivially > exploited by an attacker to inject malicious script into a server > response. You are referring to draft-salgueiro-secure-state-management-04? In that document, Section 6 covers responses from the server. The server may hash any part of the message it wishes, including the body and selected header. It's possible to also have an empty body and including that in the hash will ensure that no body is inserted where one shouldn't have been. > HTTP Digest authentication provides an option (auth-int) for integrity > protection of both requests and responses and for every request/response > after the initial authentication. In fact if servers change nonces each > time, reuse of hashes becomes difficult. Some level of mutual > authentication is also provided and the opaque string can be used to > pass arbitrary extra data between clients and servers. > IIRC, this value can be passed *cross domain* based on a defined white > list. > > At risk of repeating myself: Why not just adapt HTTP Digest for OAuth? > That is not just rhetorical, it is a genuine question. What is HTTP > Digest missing that you need? We've not looked at HTTP Digest and we were not targeting OAuth with our document. Just so that I'm looking at the right "HTTP Digest" text, can you tell me the document name? I found several when I did a search. Paul
- [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Nico Williams
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Chris Bentzel
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Chris Bentzel
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Nico Williams
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Eran Hammer-Lahav
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Nico Williams
- Re: [apps-discuss] HTTP MAC Authentication Scheme Nico Williams
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Nico Williams
- Re: [apps-discuss] HTTP MAC Authentication Scheme Mark Nottingham
- Re: [apps-discuss] HTTP MAC Authentication Scheme Stephen Farrell
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Mark Nottingham
- Re: [apps-discuss] HTTP MAC Authentication Scheme Adam Barth
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Dzonatas Sol
- Re: [apps-discuss] HTTP MAC Authentication Scheme Dave CROCKER
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Adam Barth
- Re: [apps-discuss] HTTP MAC Authentication Scheme Mark Nottingham
- Re: [apps-discuss] HTTP MAC Authentication Scheme Stephen Farrell
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Adam Barth
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Mark Nottingham
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… William J. Mills
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Randy Fischer
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Igor Faynberg
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… William J. Mills
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Dzonatas Sol
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Eran Hammer-Lahav
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Breno de Medeiros
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Bjartur Thorlacius
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Robert Sayre
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Eran Hammer-Lahav
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Bjartur Thorlacius