Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme

Nico Williams <nico@cryptonector.com> Tue, 07 June 2011 21:20 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D028B11E8132; Tue, 7 Jun 2011 14:20:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MpY2U1+oFk6J; Tue, 7 Jun 2011 14:20:52 -0700 (PDT)
Received: from homiemail-a66.g.dreamhost.com (caiajhbdcahe.dreamhost.com [208.97.132.74]) by ietfa.amsl.com (Postfix) with ESMTP id 0AC5B11E80C2; Tue, 7 Jun 2011 14:20:52 -0700 (PDT)
Received: from homiemail-a66.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a66.g.dreamhost.com (Postfix) with ESMTP id CDA31350079; Tue, 7 Jun 2011 14:20:51 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=SmrAffH1meiUfZiFx2JEFJ0JBF/RqGmcy9QTOcXaAx+F diHmCBIzbZIEwJxyy7x4dhCeBeZQr6cxqK81vF2Wgc371fCrinRgZcs3czX9CgMS OSTlwDjWJwKIJJdAmVrA8sj2aO9M9Rg9jpd2QJ6KdR24kcooghv0dcOliel1N3o=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=pp0EJ7zweYfXbLyZMx7md3xj7dY=; b=P00JbqVkyva YR9fZCAehX084AC2Lun5zPrYa1Z0bzM+d98VK406tD5u5LDkEKYlzQMLhhOrfjTW 0n0ENVRi107M1BC12432wSal8+XmOVqfRoItFAWlGOh+CxHAbE2EHj1VDdDBB8l7 sUQRPgr62rElGtPZo8ju8y8x68gI+/Fk=
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a66.g.dreamhost.com (Postfix) with ESMTPSA id 9C967350078; Tue, 7 Jun 2011 14:20:51 -0700 (PDT)
Received: by pvh18 with SMTP id 18so1199081pvh.31 for <multiple recipients>; Tue, 07 Jun 2011 14:20:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.14.103 with SMTP id o7mr434791pbc.523.1307481651289; Tue, 07 Jun 2011 14:20:51 -0700 (PDT)
Received: by 10.68.50.39 with HTTP; Tue, 7 Jun 2011 14:20:51 -0700 (PDT)
In-Reply-To: <4DEE70E6.90602@alcatel-lucent.com>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <BANLkTimNNwqs2VKM67V9NcBUV1ztvrqe3Q@mail.gmail.com> <4DEE70E6.90602@alcatel-lucent.com>
Date: Tue, 7 Jun 2011 16:20:51 -0500
Message-ID: <BANLkTikDj_0mg4Ov-3u5JeK7hFLY1WYg9Q@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: igor.faynberg@alcatel-lucent.com
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: apps-discuss@ietf.org, Ben Adida <ben@adida.net>, http-state@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
Subject: Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2011 21:20:54 -0000

On Tue, Jun 7, 2011 at 1:41 PM, Igor Faynberg
<igor.faynberg@alcatel-lucent.com> wrote:
> Adam Barth wrote:
>> Sorry.  We can't address active attackers using this mechanism.  If
>> you need protection from active attackers, please use TLS.
>
> Actually, IPsec will work here (with WiFi networks) just as well.  It is

Not really.  See RFCs 5660, 5386, and 5387.  If only RFC5660 were
widely implemented... but it's not.

> also true that we COULD develop both the authentication and confidentiality
> mechanisms that would offer protection from both active and passive
> attackers; it is just that we CHOSE (in opinion, correctly) not to do that
> because other Internet protocols already do that.

And rightly so.  As we've learned from SASL, having an option for
security layers (the "SL" in SASL) at multiple network layers only
adds unnecessary complications.

Nico
--