Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme
"William J. Mills" <wmills@yahoo-inc.com> Tue, 07 June 2011 22:43 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9409C11E8121 for <apps-discuss@ietfa.amsl.com>; Tue, 7 Jun 2011 15:43:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Ehp8C7okM6Q for <apps-discuss@ietfa.amsl.com>; Tue, 7 Jun 2011 15:43:21 -0700 (PDT)
Received: from nm4-vm0.bullet.mail.sp2.yahoo.com (nm4-vm0.bullet.mail.sp2.yahoo.com [98.139.91.190]) by ietfa.amsl.com (Postfix) with SMTP id 925E711E80CF for <apps-discuss@ietf.org>; Tue, 7 Jun 2011 15:43:21 -0700 (PDT)
Received: from [98.139.91.70] by nm4.bullet.mail.sp2.yahoo.com with NNFMP; 07 Jun 2011 22:43:21 -0000
Received: from [98.139.91.24] by tm10.bullet.mail.sp2.yahoo.com with NNFMP; 07 Jun 2011 22:43:21 -0000
Received: from [127.0.0.1] by omp1024.mail.sp2.yahoo.com with NNFMP; 07 Jun 2011 22:43:21 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 328992.41590.bm@omp1024.mail.sp2.yahoo.com
Received: (qmail 86697 invoked by uid 60001); 7 Jun 2011 22:43:20 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1307486600; bh=+2VRbgPF+M1tYu3PXLrJxNrET7XInG8vxHJCwHhVU5U=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=gXEF+Fpug9+wDPDlAfEB7L26mTKD/AC2tuqZdEKMgvbOrntZlrWZ5CosqBUg0aRax9RL2CNBFm2Ho4kdQSFb06D63LhSmqb88BTU/3kjRy8hR13kB6ZdJPKFSoGU/KukOSNr/Wum0X2iOhbrcvbbPMm0hQkdd8V9ZK+9SJaek1s=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=tJURKFvzQqxC0JdM6NL+q6M4LeoLf4PykmLlwcf4J3S6KHrjPVXudAJ9KGKt8noQp2gO/Y+w8WijKJms+VF+VsN3D0yJ8BvSVOMH66RU1AEBPx7ZDPcOszJikQ6W/rZr5FKeP7s/a+sd9W1M5Z5nCNqcAbTsvsIzS+CXf+vgjnQ=;
X-YMail-OSG: 9vFg2EUVM1kPwDsdeLAwvl2uh_bot3pb1HgYgZuM9kQj5MI 2JoUITQrRUigiKmpnpIMyLZ.yRhZ31fHulo2muqkAIiD5zsf1U36e9lsuWaO uFDD2Qdd9.f.LEkPVPYgImYpgnV0Sqs9C3NLZzck.v3YGLu.RIqWo86ZQmbO 5RbqKimDXgRhG4F2HHoa9l8Db5g8PwPznUHIFMNZeEE2_Ev_hA0JdxAR.rZ. MMCJ.yNK64pS5AYXa0iRvYqYdo7LjhtjYYgPQz.M6cFKL7YdPuMupcoF_yMY FwrgNPRnvWs4j.IrC_hpz8pKBDqMIK10bzPxXefkhzOJStpVCv7adva5f_Rj APD.onAL3.Y.pWcNjL4ZKEsrwCh3O8__dtUvw
Received: from [209.131.62.115] by web31808.mail.mud.yahoo.com via HTTP; Tue, 07 Jun 2011 15:43:20 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.112.307740
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <00f101cc255e$2d426020$87c72060$@packetizer.com> <BANLkTimn8c72p5bjwHNapW9kVCVBmNbC4w@mail.gmail.com>
Message-ID: <1307486600.48324.YahooMailNeo@web31808.mail.mud.yahoo.com>
Date: Tue, 07 Jun 2011 15:43:20 -0700
From: "William J. Mills" <wmills@yahoo-inc.com>
To: Nico Williams <nico@cryptonector.com>, "Paul E. Jones" <paulej@packetizer.com>
In-Reply-To: <BANLkTimn8c72p5bjwHNapW9kVCVBmNbC4w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-935686083-1307486600=:48324"
X-Mailman-Approved-At: Wed, 08 Jun 2011 08:39:52 -0700
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Ben Adida <ben@adida.net>, Adam Barth <adam@adambarth.com>, "http-state@ietf.org" <http-state@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
Subject: Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "William J. Mills" <wmills@yahoo-inc.com>
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2011 22:43:22 -0000
MAC adds security if the initial secret exchange is secure, and it provides a definition for signing payload as part of the request. ________________________________ From: Nico Williams <nico@cryptonector.com> To: Paul E. Jones <paulej@packetizer.com> Cc: apps-discuss@ietf.org; Ben Adida <ben@adida.net>; Adam Barth <adam@adambarth.com>; http-state@ietf.org; HTTP Working Group <ietf-http-wg@w3.org>; OAuth WG <oauth@ietf.org> Sent: Tuesday, June 7, 2011 3:35 PM Subject: Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme On Tue, Jun 7, 2011 at 4:59 PM, Paul E. Jones <paulej@packetizer.com> wrote: > I fully agree with you that using TLS is usually preferred. That said, we encounter situations where there were a large number of client/server interactions and the data conveyed is not confidential information in any way. Using TLS can significantly decreases server performance, particularly when there are a number of separate connections that are established and broken. > > So, we were trying to find a non-TLS solution that still provides a way to ensure the server can identify the user and that both can verify that data has not been tampered in flight. (It would still be preferred to establish security relations with TLS, though we were open to other solutions.) I don't see the point of having a MAC instead of a cookie for HTTP requests sent without TLS, not unless you cover enough of the request (and response). Of course, you'll want two different cookies -- one for HTTP and one for HTTPS. I think you've just convinced me that this MAC adds no value whatsoever. Nico -- _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Nico Williams
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Chris Bentzel
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Chris Bentzel
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Nico Williams
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Eran Hammer-Lahav
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Nico Williams
- Re: [apps-discuss] HTTP MAC Authentication Scheme Nico Williams
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Nico Williams
- Re: [apps-discuss] HTTP MAC Authentication Scheme Mark Nottingham
- Re: [apps-discuss] HTTP MAC Authentication Scheme Stephen Farrell
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Mark Nottingham
- Re: [apps-discuss] HTTP MAC Authentication Scheme Adam Barth
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Dzonatas Sol
- Re: [apps-discuss] HTTP MAC Authentication Scheme Dave CROCKER
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Adam Barth
- Re: [apps-discuss] HTTP MAC Authentication Scheme Mark Nottingham
- Re: [apps-discuss] HTTP MAC Authentication Scheme Stephen Farrell
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Adam Barth
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Mark Nottingham
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… William J. Mills
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Randy Fischer
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Igor Faynberg
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… William J. Mills
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Dzonatas Sol
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Eran Hammer-Lahav
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Breno de Medeiros
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Bjartur Thorlacius
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Robert Sayre
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Eran Hammer-Lahav
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Bjartur Thorlacius