Re: [apps-discuss] [http-state] HTTP MAC Authentication Scheme

"Paul E. Jones" <> Tue, 07 June 2011 03:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AA22E11E8151; Mon, 6 Jun 2011 20:26:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yonClR2e1Ev9; Mon, 6 Jun 2011 20:26:12 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7789B11E8097; Mon, 6 Jun 2011 20:26:12 -0700 (PDT)
Received: from sydney ( []) (authenticated bits=0) by (8.14.4/8.14.4) with ESMTP id p573Pw77008885 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 6 Jun 2011 23:26:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=dublin; t=1307417165; bh=jV52Ps4tuBilrdVoLwOntDyoyy8VqHJU8rKf8rGCbhs=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type:Content-Transfer-Encoding; b=iATpPDFOH+ap5GbsUPzczIe3OKiBpEFzoUQ0R55MRLW6YA2f9Y7ftYn8G+am2rJqH pbRBfmWKJ77UkCpKQNM+DkyIIoUSrbPLyNSX7O4MiYKGUbWa85U+rGdIZ3r3+ZIkjX nQ9/X4zvoTeTBgVFsYs1EKfbc5UxRyDmLVaRRsQE=
From: "Paul E. Jones" <>
To: "'Nico Williams'" <>, "'Eran Hammer-Lahav'" <>
References: <AcwOfmxmPIi74XcpSTyynQcwm/I2bw==> <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <>
In-Reply-To: <>
Date: Mon, 6 Jun 2011 23:25:54 -0400
Message-ID: <09c801cc24c2$a05bae00$e1130a00$>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJuZniGB/7VI7fQeF44Yd3wW4or/QFyB4gcAph0XNqTTGN1IA==
Content-Language: en-us
Cc:, 'Ben Adida' <>, 'Adam Barth' <>,, 'HTTP Working Group' <>, 'OAuth WG' <>
Subject: Re: [apps-discuss] [http-state] HTTP MAC Authentication Scheme
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Jun 2011 03:26:13 -0000


Sorry for coming into this so late, but I just saw this message.

I don't have all of the background, but when I saw this message header and
some of the dialog, it seems there is a desire to provide some level of
authentication to requests and/or responses between the clients and servers.

Gonzalo and I worked on this:

This may not be entirely complete, but the idea was to allow a client and
server to establish an association so that requests and responses could be
authenticated.  Is this something along the lines of what you are
discussing, or is this an entirely different application?


> -----Original Message-----
> From: []
> On Behalf Of Nico Williams
> Sent: Friday, May 20, 2011 4:25 PM
> To: Eran Hammer-Lahav
> Cc:; Ben Adida; Adam Barth (;
>; HTTP Working Group; OAuth WG
> Subject: Re: [http-state] [apps-discuss] HTTP MAC Authentication Scheme
> Additional comments:
>  - Using nonces for replay protection is heavy-duty.  It is difficult to
> implement a reliable, secure, high-performance replay cache.  (It is
> easy to implement just a high-performance replay cache: use
> memcache.)
>    I recommend an option to use sequence numbers at the server's choice,
> understanding, of course, that requests will not be received in
> sequence.  The use of a sliding sequence number window makes it possible
> to do at least as well as when using nonce, and probably faster while
> still being secure.
>  - In an open wifi environment active attacks may not be very difficult,
> thus an option to secure more than just a handful of bits from the
> request, would be nice (all of the request and all of the response,
> say).  The hard part is how to decide when to use one or the other.
> Ideally browsers can request more protection when the network is
> reconfigured such that there's one or more clear wifi interfaces.
> Nico
> --
> _______________________________________________
> http-state mailing list