Re: [apps-discuss] [http-state] HTTP MAC Authentication Scheme

Nico Williams <nico@cryptonector.com> Fri, 10 June 2011 17:36 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E150C11E80B1; Fri, 10 Jun 2011 10:36:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.087
X-Spam-Level:
X-Spam-Status: No, score=-3.087 tagged_above=-999 required=5 tests=[AWL=-1.110, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 208vBsYuTKkI; Fri, 10 Jun 2011 10:36:43 -0700 (PDT)
Received: from homiemail-a30.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by ietfa.amsl.com (Postfix) with ESMTP id 18E7011E81A6; Fri, 10 Jun 2011 10:36:43 -0700 (PDT)
Received: from homiemail-a30.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a30.g.dreamhost.com (Postfix) with ESMTP id 544CF21DE82; Fri, 10 Jun 2011 10:36:41 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=GYpPq5RJTqWHu2GhBAPXD8lw0ad1N/eR4W4C1BTSocB5 Ysng1dmlX0nEhkZpuqwgkjZo4Tuq13d2eHcmPoKMsZAIrNjD0MkkbNtnzNeJgFbc 1A1qmyCIkjUnq80Ozl/gsJP65DxGdth0HfEGDBbVrPolRUtulRELuq8rqoSK0cc=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=ogMqrLJYBNMpf2sdZYydrvyFAcs=; b=M+vUWCC5Wui orFhCufVJ+e0WjyPSIDns2IdhjdKlCID9mgeyHHSCkCzCcQeA5WrTZxIA/XMliOp L04Z01RcRqr5B27E3mTJaSWdFbgwYhk6YFlXt4wx9wO+/QeASMkjMRod/edyqpXM 4RPjqIjHaGkKIhnLJ6RindfVfA/t33vo=
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a30.g.dreamhost.com (Postfix) with ESMTPSA id D25C121DE8E; Fri, 10 Jun 2011 10:36:30 -0700 (PDT)
Received: by pzk5 with SMTP id 5so1476613pzk.31 for <multiple recipients>; Fri, 10 Jun 2011 10:36:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.0.7 with SMTP id 7mr1214506pba.188.1307727390261; Fri, 10 Jun 2011 10:36:30 -0700 (PDT)
Received: by 10.68.50.39 with HTTP; Fri, 10 Jun 2011 10:36:30 -0700 (PDT)
In-Reply-To: <02c401cc2662$9a21d220$ce657660$@packetizer.com>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <00f101cc255e$2d426020$87c72060$@packetizer.com> <BANLkTimn8c72p5bjwHNapW9kVCVBmNbC4w@mail.gmail.com> <015801cc25ab$063a2150$12ae63f0$@packetizer.com> <BANLkTimsKgozsADnA1+yccvKmg1Pa2mPng@mail.gmail.com> <02c401cc2662$9a21d220$ce657660$@packetizer.com>
Date: Fri, 10 Jun 2011 12:36:30 -0500
Message-ID: <BANLkTikFrwtysWtqqndX4eO33OSaik=Gkg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "Paul E. Jones" <paulej@packetizer.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Ben Adida <ben@adida.net>, Adam Barth <adam@adambarth.com>, OAuth WG <oauth@ietf.org>, apps-discuss@ietf.org
Subject: Re: [apps-discuss] [http-state] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jun 2011 17:36:44 -0000

[Dropped a few lists.]

On Thu, Jun 9, 2011 at 12:03 AM, Paul E. Jones <paulej@packetizer.com> wrote:
> What issues, specifically.  (Messages are all over the place and I don’t
> know exactly what issues you’re raising.  Is it with the approach we’re
> proposing or something else?)

The fundamental issue is that protecting the cookie alone is not
enough.  On open wifi networks it's a fair assumption that the
difficulty of active attacks is about the same as the difficulty of
passive attacks.  Therefore you need to provide integrity protection
for most of the request and most of the response, including the
bodies.

Nico
--