Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme

Nico Williams <nico@cryptonector.com> Tue, 07 June 2011 22:57 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C98311E81C9; Tue, 7 Jun 2011 15:57:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.017
X-Spam-Level:
X-Spam-Status: No, score=-3.017 tagged_above=-999 required=5 tests=[AWL=-1.040, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9SjVEoMxQuFN; Tue, 7 Jun 2011 15:57:01 -0700 (PDT)
Received: from homiemail-a25.g.dreamhost.com (caiajhbdccac.dreamhost.com [208.97.132.202]) by ietfa.amsl.com (Postfix) with ESMTP id 03D8A11E80CF; Tue, 7 Jun 2011 15:57:01 -0700 (PDT)
Received: from homiemail-a25.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a25.g.dreamhost.com (Postfix) with ESMTP id D3864678062; Tue, 7 Jun 2011 15:57:00 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=Jcjadx0we/+FYjNkC5Z/q 8pA9HxFpJbSgQsrxTSvLmBQzFf7AMWpyGAjCe8JplI1PGo2OiIv1/hN2rj80rqDh QEkr4Ry8vMSDSEQgSclWugz1eRV4TPUAt5OU8K3ru0kzIHaNmXkgo0ADPoF72ggQ jLTa2xprmP7gdv7jQI8FEA=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=tkn5ldRCD2ME+hplUIi1 u66Ly3M=; b=G+5+iYV8gwBpIBA0fVd/WeJ1QJ9n1VME+rWXq9Bk8TX2zmfZ2zkF ug9kzhKHzB7gUYM/qHOrwvWBsRz0ZyPOUn+tvCrs+xg62ffWGxL6OKDPmZqZynpm TjosLkE1HVYSdpAD2R1mqsxstwqC5/jsqiUKf2zCezeXXQnc0wJs84k=
Received: from mail-px0-f182.google.com (mail-px0-f182.google.com [209.85.212.182]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a25.g.dreamhost.com (Postfix) with ESMTPSA id A91F0678056; Tue, 7 Jun 2011 15:57:00 -0700 (PDT)
Received: by pxi20 with SMTP id 20so4585098pxi.27 for <multiple recipients>; Tue, 07 Jun 2011 15:57:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.20.137 with SMTP id n9mr446071pbe.121.1307487420276; Tue, 07 Jun 2011 15:57:00 -0700 (PDT)
Received: by 10.68.50.39 with HTTP; Tue, 7 Jun 2011 15:57:00 -0700 (PDT)
In-Reply-To: <1307486600.48324.YahooMailNeo@web31808.mail.mud.yahoo.com>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <00f101cc255e$2d426020$87c72060$@packetizer.com> <BANLkTimn8c72p5bjwHNapW9kVCVBmNbC4w@mail.gmail.com> <1307486600.48324.YahooMailNeo@web31808.mail.mud.yahoo.com>
Date: Tue, 7 Jun 2011 17:57:00 -0500
Message-ID: <BANLkTi==5LjD7vW74tqB_sbSHrLjsJE6+A@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "William J. Mills" <wmills@yahoo-inc.com>
Content-Type: text/plain; charset=UTF-8
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Ben Adida <ben@adida.net>, Adam Barth <adam@adambarth.com>, "http-state@ietf.org" <http-state@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
Subject: Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2011 22:57:01 -0000

On Tue, Jun 7, 2011 at 5:43 PM, William J. Mills <wmills@yahoo-inc.com> wrote:
> MAC adds security if the initial secret exchange is secure, and it provides
> a definition for signing payload as part of the request.

Not if the MAC doesn't protect enough of the request _and_ response to
prevent active attacks.  Unless you don't care about those attacks
(which some of you have indicated), in which case why bother with the
MAC at all?

Nico
--