Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme

Igor Faynberg <igor.faynberg@alcatel-lucent.com> Tue, 07 June 2011 18:41 UTC

Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1033228007; Tue, 7 Jun 2011 11:41:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rYgeQDqPEq9e; Tue, 7 Jun 2011 11:41:53 -0700 (PDT)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by ietfa.amsl.com (Postfix) with ESMTP id DC65021F8564; Tue, 7 Jun 2011 11:41:52 -0700 (PDT)
Received: from usnavsmail3.ndc.alcatel-lucent.com (usnavsmail3.ndc.alcatel-lucent.com [135.3.39.11]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id p57Ifkgp025162 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 7 Jun 2011 13:41:46 -0500 (CDT)
Received: from umail.lucent.com (umail-ce2.ndc.lucent.com [135.3.40.63]) by usnavsmail3.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id p57IfjcQ008947 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 7 Jun 2011 13:41:46 -0500
Received: from [135.244.5.22] (faynberg.lra.lucent.com [135.244.5.22]) by umail.lucent.com (8.13.8/TPES) with ESMTP id p57IfhCF003676; Tue, 7 Jun 2011 13:41:43 -0500 (CDT)
Message-ID: <4DEE70E6.90602@alcatel-lucent.com>
Date: Tue, 07 Jun 2011 14:41:42 -0400
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Adam Barth <ietf@adambarth.com>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <BANLkTimNNwqs2VKM67V9NcBUV1ztvrqe3Q@mail.gmail.com>
In-Reply-To: <BANLkTimNNwqs2VKM67V9NcBUV1ztvrqe3Q@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.11
X-Mailman-Approved-At: Wed, 08 Jun 2011 08:39:52 -0700
Cc: apps-discuss@ietf.org, Ben Adida <ben@adida.net>, http-state@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
Subject: Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2011 18:41:53 -0000

Adam Barth wrote:
> On Tue, Jun 7, 2011 at 10:35 AM, Nico Williams <nico@cryptonector.com> wrote:
>   
>> On Mon, Jun 6, 2011 at 10:25 PM, Paul E. Jones <paulej@packetizer.com> wrote:
>>     
>>> ...
>>>       
>> I'm completely on-board with session state[*].  My comments were
>> particularly in regards to threat models.  I believe that
>> eavesdroppers and active attackers both need to be considered,
>> particularly as we have so many open wifi networks.
>>     
>
> Sorry.  We can't address active attackers using this mechanism.  If
> you need protection from active attackers, please use TLS.
>   

Actually, IPsec will work here (with WiFi networks) just as well.  It is 
also true that we COULD develop both the authentication and 
confidentiality mechanisms that would offer protection from both active 
and passive attackers; it is just that we CHOSE (in opinion, correctly) 
not to do that because other Internet protocols already do that.

Igor