Re: [apps-discuss] [http-state] HTTP MAC Authentication Scheme

"Paul E. Jones" <paulej@packetizer.com> Fri, 10 June 2011 20:04 UTC

Return-Path: <paulej@packetizer.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A6D511E80FB; Fri, 10 Jun 2011 13:04:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.417
X-Spam-Level:
X-Spam-Status: No, score=-4.417 tagged_above=-999 required=5 tests=[AWL=-1.818, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vAy2cIYevvjP; Fri, 10 Jun 2011 13:04:02 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) by ietfa.amsl.com (Postfix) with ESMTP id 13DED11E8097; Fri, 10 Jun 2011 13:03:49 -0700 (PDT)
Received: from sydney (rrcs-98-101-155-83.midsouth.biz.rr.com [98.101.155.83]) (authenticated bits=0) by dublin.packetizer.com (8.14.4/8.14.4) with ESMTP id p5AK3VJs002670 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 10 Jun 2011 16:03:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=packetizer.com; s=dublin; t=1307736217; bh=65DhJkxJweupl9J5VTi9bGIOu1I5puC8lk5CxwhLUo8=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type:Content-Transfer-Encoding; b=TiuOXknIBjKKfYuabwcRFFZ02Xa5AxBB9qKAa/eXRofYC/A5dsoESJIQiJ4+DVdZY 1l0NYQo/LpN7v2d4pQjpZFZ21WcFB2eK11wI9YqBrILJxd5Gqc/jeJRUWrhJnGy307 HZo4jNmOb/zhbqShegKSyhimv9hsqDx7oVNfGAis=
From: "Paul E. Jones" <paulej@packetizer.com>
To: "'Nico Williams'" <nico@cryptonector.com>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <00f101cc255e$2d426020$87c72060$@packetizer.com> <BANLkTimn8c72p5bjwHNapW9kVCVBmNbC4w@mail.gmail.com> <015801cc25ab$063a2150$12ae63f0$@packetizer.com> <BANLkTimsKgozsADnA1+yccvKmg1Pa2mPng@mail.gmail.com> <02c401cc2662$9a21d220$ce657660$@packetizer.com> <BANLkTikFrwtysWtqqndX4eO33OSaik=Gkg@mail.gmail.com>
In-Reply-To: <BANLkTikFrwtysWtqqndX4eO33OSaik=Gkg@mail.gmail.com>
Date: Fri, 10 Jun 2011 16:03:20 -0400
Message-ID: <051201cc27a9$7603f970$620bec50$@packetizer.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFyB4gcQBia34uJQdRCExMgck4H0AKYdFzaAoZRr8EBlD5mpAL1HuqcAjoReDABal05/QI7UtjxArFQ00YB68uctpTKGnTw
Content-Language: en-us
Cc: 'Ben Adida' <ben@adida.net>, 'Adam Barth' <adam@adambarth.com>, 'OAuth WG' <oauth@ietf.org>, apps-discuss@ietf.org
Subject: Re: [apps-discuss] [http-state] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jun 2011 20:04:03 -0000

Nico,

> On Thu, Jun 9, 2011 at 12:03 AM, Paul E. Jones <paulej@packetizer.com>
> wrote:
> > What issues, specifically.  (Messages are all over the place and I
> > don’t know exactly what issues you’re raising.  Is it with the
> > approach we’re proposing or something else?)
> 
> The fundamental issue is that protecting the cookie alone is not enough.
> On open wifi networks it's a fair assumption that the difficulty of
> active attacks is about the same as the difficulty of passive attacks.
> Therefore you need to provide integrity protection for most of the
> request and most of the response, including the bodies.

While I will not claim that our current draft is bullet proof, we did make an attempt to define a means of allowing the client and server to be able to detect if a request has been altered, including both message headers and message body.

Draft:
http://tools.ietf.org/html//draft-salgueiro-secure-state-management-04

Paul