Re: [apps-discuss] [http-state] HTTP MAC Authentication Scheme

Nico Williams <nico@cryptonector.com> Tue, 07 June 2011 22:33 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77D3811E8084; Tue, 7 Jun 2011 15:33:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.819
X-Spam-Level:
X-Spam-Status: No, score=-2.819 tagged_above=-999 required=5 tests=[AWL=-0.842, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q0EizRmivHBn; Tue, 7 Jun 2011 15:33:37 -0700 (PDT)
Received: from homiemail-a73.g.dreamhost.com (caiajhbdcbbj.dreamhost.com [208.97.132.119]) by ietfa.amsl.com (Postfix) with ESMTP id D807911E8072; Tue, 7 Jun 2011 15:33:35 -0700 (PDT)
Received: from homiemail-a73.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a73.g.dreamhost.com (Postfix) with ESMTP id 40D651F0083; Tue, 7 Jun 2011 15:33:35 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=chqaBCti5o446gpVly0Tx8eDlUkn17K1DAKHIL0wHuqL dZMVrOsjyLl5fVlxZCdkomJzhW08U68aGQivwtqNfKlR9YJppHcZ8jVW2BbsNSXI utxv8ExFOfg+yk1DXj4C973r32EKtUBjIxNiojJ1fQZn0ZLqVojG81Am5rtTZak=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=CaY172oGfQ/cmxWYif9ddWcAy4o=; b=uMnpvd5CaRO 8jG5foIflgTxdmLsXn6vjvs8HTdPsV1CQ7XsT9OC5F0tT9PuS46Bh6BK/v7D+3zU uKYIaLEMGlgohibt223Ure61cuVVyFNsXIKl6aklmySb+WUJjICIPqjx5JFTveXN XgZjlFGlU3kS7Lh36qsaEpudgTcBblAY=
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a73.g.dreamhost.com (Postfix) with ESMTPSA id 032151F0081; Tue, 7 Jun 2011 15:33:34 -0700 (PDT)
Received: by pzk5 with SMTP id 5so3062072pzk.31 for <multiple recipients>; Tue, 07 Jun 2011 15:33:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.37.3 with SMTP id u3mr439492pbj.456.1307486014688; Tue, 07 Jun 2011 15:33:34 -0700 (PDT)
Received: by 10.68.50.39 with HTTP; Tue, 7 Jun 2011 15:33:34 -0700 (PDT)
In-Reply-To: <BANLkTin7zQ2S_gO=dzrBd7Vn4i9AKuSe6A@mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <BANLkTimNNwqs2VKM67V9NcBUV1ztvrqe3Q@mail.gmail.com> <BANLkTimB6F17OfC7J6jccDsd6Zv0T6tE3w@mail.gmail.com> <BANLkTin7zQ2S_gO=dzrBd7Vn4i9AKuSe6A@mail.gmail.com>
Date: Tue, 7 Jun 2011 17:33:34 -0500
Message-ID: <BANLkTin=cyoFoNnK0c+ss1OHFUjwcvbBsg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Adam Barth <ietf@adambarth.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: apps-discuss@ietf.org, Ben Adida <ben@adida.net>, http-state@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
Subject: Re: [apps-discuss] [http-state] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2011 22:33:38 -0000

On Tue, Jun 7, 2011 at 4:24 PM, Adam Barth <ietf@adambarth.com> wrote:
> I'm not sure that's appropriate for this mechanism.  What problem does
> channel binding solve?

CB is not appropriate for OAuth today, no, because OAuth doesn't give
you mutual authentication, which means channel binding can't be done
either (well, not with any security guarantees).

You missed my point however: I don't really want to see a specific
purpose MAC here because I do believe it's generalizable, and if we
don't generalize it now we'll just have more special casing in code
later.  For a general MAC I'd want an option for CB (when TLS is used,
of course).

Nico
--