Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme
Robert Sayre <sayrer@gmail.com> Thu, 09 June 2011 03:53 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6EF611E8084; Wed, 8 Jun 2011 20:53:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lEMT+rGY9S1w; Wed, 8 Jun 2011 20:53:11 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 465C011E8078; Wed, 8 Jun 2011 20:53:11 -0700 (PDT)
Received: by vxg33 with SMTP id 33so1219782vxg.31 for <multiple recipients>; Wed, 08 Jun 2011 20:53:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=7+OuI7nMzSdOiI4TY2x7oxBl9Cr0FcxkduNdE1pceI4=; b=Ikf0HLeEhmJQMQYywovgv9WA94Klipy2XQ7vKKKReWeRQS6FFJQnfVgcn5QfdE2Y5I Ha9diz3mr1GajlvWyr1J/itE8luPFRHNUeVFb+zP0raryjOBBgzXxUbxNcNoQyViowKp BLTEpFbySq1PvNe8m5DTqdgsdtigBDqrtGW0g=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=cH4Y3ug7EpA/Ig2xWO40p9Kh49NA+S6dCac/ZHKP/FVOKz/u3xUZvqbI+DxKFodiSh 7e+I1fOtwEA2QUXD8vdJioK1R+4gEg0Y2/kXIxu3YLPRMJ0A78ww7ZmCZ05XNvLFcLDU KMtUtAf8Cr46h7W61UBXxGpoYWKSbhIwT+irY=
MIME-Version: 1.0
Received: by 10.52.76.10 with SMTP id g10mr310749vdw.252.1307591590090; Wed, 08 Jun 2011 20:53:10 -0700 (PDT)
Received: by 10.52.111.169 with HTTP; Wed, 8 Jun 2011 20:53:10 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234475E773C73@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <00f101cc255e$2d426020$87c72060$@packetizer.com> <BANLkTimn8c72p5bjwHNapW9kVCVBmNbC4w@mail.gmail.com> <015801cc25ab$063a2150$12ae63f0$@packetizer.com> <20110608153225.GL1565@sentinelchicken.org> <90C41DD21FB7C64BB94121FBBC2E7234475E773C73@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Wed, 08 Jun 2011 20:53:10 -0700
Message-ID: <BANLkTi=Qg=q066rAHkhFrsHBb3Yu4hWYFA@mail.gmail.com>
From: Robert Sayre <sayrer@gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-Mailman-Approved-At: Thu, 09 Jun 2011 08:37:18 -0700
Cc: Tim <tim-projects@sentinelchicken.org>, OAuth WG <oauth@ietf.org>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>
Subject: Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jun 2011 03:53:13 -0000
On Wed, Jun 8, 2011 at 10:32 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote: >> -----Original Message----- >> From: Tim [mailto:tim-projects@sentinelchicken.org] >> Sent: Wednesday, June 08, 2011 8:32 AM > >> At risk of repeating myself: Why not just adapt HTTP Digest for OAuth? >> That is not just rhetorical, it is a genuine question. What is HTTP Digest >> missing that you need? Digest has a bunch of problems. See this document http://tools.ietf.org/html/draft-ietf-httpbis-security-properties-05#section-2.2.2 for a short tour of them. > The latest version of this draft: > > http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-00 > > Includes a Design Constraints section which tries to explain this: > > Unlike the HTTP Digest authentication scheme, this mechanism does not > require interacting with the server to prevent replay attacks. > Instead, the client provides both a nonce and a timestamp, which the > server can use to prevent replay attacks using a bounded amount of > storage. It's not obvious to me why the mechanism in the draft is better than a server-generated nonce and/or opaque string, as found in Digest. The mechanism in the draft can be bitten by clock skew problems, and having the server send a nonce doesn't necessarily require an unbounded amount of storage. I'm sorry if I've missed previous discussion on this issue, but could someone explain? > Also unlike Digest, this mechanism is not intended to > protect the user's password itself because the client and server both > have access to the key material in the clear. Instead, servers > should issue a short-lived derivative credential for this mechanism > during the initial TLS setup phase. That makes sense. I'm having trouble reconciling the Design Constraints section (1.1) with the section on Entropy of MAC Keys (7.5). How long are these keys supposed to be around in practice? Also, Adam wrote "this mechanism is for folks who cannot or will not deploy TLS". How does that statement fit here? - Rob
- [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Nico Williams
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Chris Bentzel
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Chris Bentzel
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Nico Williams
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Eran Hammer-Lahav
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Nico Williams
- Re: [apps-discuss] HTTP MAC Authentication Scheme Nico Williams
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Nico Williams
- Re: [apps-discuss] HTTP MAC Authentication Scheme Mark Nottingham
- Re: [apps-discuss] HTTP MAC Authentication Scheme Stephen Farrell
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Mark Nottingham
- Re: [apps-discuss] HTTP MAC Authentication Scheme Adam Barth
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Dzonatas Sol
- Re: [apps-discuss] HTTP MAC Authentication Scheme Dave CROCKER
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Adam Barth
- Re: [apps-discuss] HTTP MAC Authentication Scheme Mark Nottingham
- Re: [apps-discuss] HTTP MAC Authentication Scheme Stephen Farrell
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Adam Barth
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Mark Nottingham
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… William J. Mills
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Randy Fischer
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Igor Faynberg
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… William J. Mills
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Dzonatas Sol
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Eran Hammer-Lahav
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Breno de Medeiros
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Bjartur Thorlacius
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Robert Sayre
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Eran Hammer-Lahav
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Bjartur Thorlacius