Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme

Nico Williams <nico@cryptonector.com> Wed, 08 June 2011 22:30 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 025D721F8490; Wed, 8 Jun 2011 15:30:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.208
X-Spam-Level:
X-Spam-Status: No, score=-3.208 tagged_above=-999 required=5 tests=[AWL=-1.231, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1gxrb-ocgHXn; Wed, 8 Jun 2011 15:30:18 -0700 (PDT)
Received: from homiemail-a66.g.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by ietfa.amsl.com (Postfix) with ESMTP id 1DA6521F848F; Wed, 8 Jun 2011 15:30:18 -0700 (PDT)
Received: from homiemail-a66.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a66.g.dreamhost.com (Postfix) with ESMTP id C16E635007A; Wed, 8 Jun 2011 15:30:17 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=xvMSouKYJD7Mhn9JGzAqPoQxa9Qnv3MRnUWqyLqoE7Qf z++bCKQ+7zVjDqeXeZt3Wp0s1e9KrWOlgWT2kKFpHYkfuh/Y6VKyZxV3FIzU8ZND aR2FxDtzkEoNIXKS/C3lbR4EfEc6erYUmIQVTaIKMM/+mLo81/TuYC/5n02V9Kk=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=kd1WcEXZG0a9WviCNc7RPHRJbk0=; b=GVTcmGLFqnV i87bhDF1h8ddigZFgMCyn2zWtxECXIwIyPkVPDcxk4cImAXH+vD2M9eAX6EGFjVj EQhsMszWDxX4Zq3lTRnhc65HDqZgK4qBaRiFMAh/ywA3A0mnfevVIolboXG2kUDH DFbqMXbVjIOtmqwlNoA2RvFw4w8f8Zxk=
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a66.g.dreamhost.com (Postfix) with ESMTPSA id 93CE9350058; Wed, 8 Jun 2011 15:30:17 -0700 (PDT)
Received: by pvh18 with SMTP id 18so505009pvh.31 for <multiple recipients>; Wed, 08 Jun 2011 15:30:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.14.103 with SMTP id o7mr1122589pbc.523.1307572217268; Wed, 08 Jun 2011 15:30:17 -0700 (PDT)
Received: by 10.68.50.39 with HTTP; Wed, 8 Jun 2011 15:30:16 -0700 (PDT)
In-Reply-To: <BANLkTi=98GodWuNCfU9bKZ389B7QG3ow+OjJHH9zCKF8tn8TDA@mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <00f101cc255e$2d426020$87c72060$@packetizer.com> <BANLkTimn8c72p5bjwHNapW9kVCVBmNbC4w@mail.gmail.com> <1307486600.48324.YahooMailNeo@web31808.mail.mud.yahoo.com> <BANLkTi==5LjD7vW74tqB_sbSHrLjsJE6+A@mail.gmail.com> <4DEEAD76.2090800@adida.net> <BANLkTik7LyPWssAb0EBmx11hK53hiwgmrA@mail.gmail.com> <20110607234131.GI1565@sentinelchicken.org> <BANLkTi=0Ra3zv3ViZyxRJSPtmnQh4v5eRQ@mail.gmail.com> <BANLkTi=98GodWuNCfU9bKZ389B7QG3ow+OjJHH9zCKF8tn8TDA@mail.gmail.com>
Date: Wed, 8 Jun 2011 17:30:16 -0500
Message-ID: <BANLkTime7ve9H95yjdYO7dj85__kaRA4kg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Breno de Medeiros <breno@google.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Tim <tim-projects@sentinelchicken.org>, "http-state@ietf.org" <http-state@ietf.org>, OAuth WG <oauth@ietf.org>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2011 22:30:19 -0000

On Wed, Jun 8, 2011 at 5:26 PM, Breno de Medeiros <breno@google.com> wrote:
> On Tue, Jun 7, 2011 at 17:07, Nico Williams <nico@cryptonector.com> wrote:
>> Here's another issue: some of you are saying that an application using
>> this extension will be using TLS for some things but not others, which
>> presumes a TLS session.  Does using TLS _with_ session resumption
>> _and_ HTTP/1.1 pipelining for all requests really cost that much more
>> in latency and compute (and electric) power than the proposed
>> alternative?  I seriously doubt it, and I'd like to see some real
>> analysis showing that I'm wrong before I'd accept such a rationale for
>> this sort of proposal.
>
> Google has performed detailed analysis of SSL performance after
> several optimizations and we have concluded that the answer is 'no
> significant overhead' as you suggest. Indeed, in some workload
> situations it may be actually cheaper to serve SSL traffic because
> there is reduction in network latency by avoiding bad proxies. We have
> published some results here:
> http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

Sweet!  Thanks for confirming my intuition, and then some.  I like the
idea that using TLS actually reduces latency -- I'd not have imagined
it.

Nico
--