Re: [apps-discuss] HTTP MAC Authentication Scheme

Eran Hammer-Lahav <> Tue, 10 May 2011 01:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7531DE0994 for <>; Mon, 9 May 2011 18:19:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.873
X-Spam-Status: No, score=-2.873 tagged_above=-999 required=5 tests=[AWL=-0.275, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZG7yIQVhq9yi for <>; Mon, 9 May 2011 18:19:55 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id DF1A9E08BD for <>; Mon, 9 May 2011 18:19:47 -0700 (PDT)
Received: (qmail 20474 invoked from network); 10 May 2011 01:13:07 -0000
Received: from unknown (HELO ( by with SMTP; 10 May 2011 01:13:07 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([]) with mapi; Mon, 9 May 2011 18:12:32 -0700
From: Eran Hammer-Lahav <>
To: Chris Bentzel <>, "" <>
Date: Mon, 9 May 2011 18:12:28 -0700
Thread-Topic: [apps-discuss] HTTP MAC Authentication Scheme
Thread-Index: AcwOriIrN9ztYReJTuaMWhgOFtEGGAAAFvOQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723447581DA9D7@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723447581DA9D7P3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [apps-discuss] HTTP MAC Authentication Scheme
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 10 May 2011 01:19:57 -0000

Hi Chris,

There is no good way to include headers in the normalized request string. Anything we've tried was just impractical for web adoption. Coming up with a canonicalization logic for HTTP headers that can survive all the allowed manipulations, and does not require repeating the headers in some encoded blog (say, base64 everything that is included in the MAC and include that blog with the request), is just too hard and error prone. It requires hard coding rules for each header given the number of exceptions in format and rules.

As for the body hash, we're looking for a way to make it useful for form-encoded bodies and API calls. It isn't really meant for large file uploads. We're trying to implement it in the browser and will make decisions based on that experience.


From: [] On Behalf Of Chris Bentzel
Sent: Monday, May 09, 2011 6:00 PM
Subject: Re: [apps-discuss] HTTP MAC Authentication Scheme

On Mon, May 9, 2011 at 3:22 PM, Eran Hammer-Lahav <<>> wrote:
(Please discuss this draft on the Apps-Discuss <<>> mailing list)

Should there be support for more headers in the Normalized Request String [Section 3.3.1] to minimize MITM attacks? Could this be done on all non-hop-by-hop headers? One concern is reordering of headers by middle-boxes.

Should the body hash be a separate header from the Authorization header? This may allow a User-Agent to do a Chunked-Encoding POST with a trailing header containing the body hash, preventing the need to buffer all of the body in the User-Agent before sending over the wire. However, it would lead to some duplication of the parameters included in the Authorization header.