Re: [apps-discuss] HTTP MAC Authentication Scheme

[Eran Hammer-Lahav <eran@hueniverse.com>]

Hi Chris,

There is no good way to include headers in the normalized request string. Anything we've tried was just impractical for web adoption. Coming up with a canonicalization logic for HTTP headers that can survive all the allowed manipulations, and does not require repeating the headers in some encoded blog (say, base64 everything that is included in the MAC and include that blog with the request), is just too hard and error prone. It requires hard coding rules for each header given the number of exceptions in format and rules.

As for the body hash, we're looking for a way to make it useful for form-encoded bodies and API calls. It isn't really meant for large file uploads. We're trying to implement it in the browser and will make decisions based on that experience.

EHL



From: apps-discuss-bounces@ietf.org [mailto:apps-discuss-bounces@ietf.org] On Behalf Of Chris Bentzel
Sent: Monday, May 09, 2011 6:00 PM
To: apps-discuss@ietf.org
Subject: Re: [apps-discuss] HTTP MAC Authentication Scheme

On Mon, May 9, 2011 at 3:22 PM, Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote:
(Please discuss this draft on the Apps-Discuss <apps-discuss@ietf.org<mailto:apps-discuss@ietf.org>> mailing list)

Should there be support for more headers in the Normalized Request String [Section 3.3.1] to minimize MITM attacks? Could this be done on all non-hop-by-hop headers? One concern is reordering of headers by middle-boxes.

Should the body hash be a separate header from the Authorization header? This may allow a User-Agent to do a Chunked-Encoding POST with a trailing header containing the body hash, preventing the need to buffer all of the body in the User-Agent before sending over the wire. However, it would lead to some duplication of the parameters included in the Authorization header.