Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme

Nico Williams <nico@cryptonector.com> Wed, 08 June 2011 03:17 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB5BC11E8072; Tue, 7 Jun 2011 20:17:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.138
X-Spam-Level:
X-Spam-Status: No, score=-3.138 tagged_above=-999 required=5 tests=[AWL=-1.161, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id es0YgEAaevRd; Tue, 7 Jun 2011 20:17:49 -0700 (PDT)
Received: from homiemail-a30.g.dreamhost.com (caiajhbdcaib.dreamhost.com [208.97.132.81]) by ietfa.amsl.com (Postfix) with ESMTP id 15C0911E8071; Tue, 7 Jun 2011 20:17:49 -0700 (PDT)
Received: from homiemail-a30.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a30.g.dreamhost.com (Postfix) with ESMTP id A078021DE77; Tue, 7 Jun 2011 20:17:48 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=dy/V6Vq49DKQUKR8Tu5YvJOyUDc/2cL0izV6EkSUvegF S+7H48vhvq5X+AoZCfVz4l+C1OasHL9A4dYu4DuKBWRA6s4nWqXP7MjANzSTxWyC 0lqbMoDmcvxwhSo2fDMnaewC5w8m4Hdxgf+W8ifVKBoNgI6o18pzFu1ZT/nuclQ=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=Gi28YkJLenZ65hJkPHLi3wF5pfo=; b=BgPP1WhxxyR Gzut5IEzhILbW0byB821vvp3uPMFv0RVUQmNO0S6SdHWE2oEu3UXmX9aIyTzhqMT DCpJsfj9Q3AsH+O0Q0aYmsAkJ3lnVAHKHJqyTmBeAiEo+BlsQx76ekA+63lFt+pU +zktF8vpdQbHp96jyPu/nLdnpEAQ3Vt4=
Received: from mail-px0-f182.google.com (mail-px0-f182.google.com [209.85.212.182]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a30.g.dreamhost.com (Postfix) with ESMTPSA id 5A89521DE71; Tue, 7 Jun 2011 20:17:48 -0700 (PDT)
Received: by pxi20 with SMTP id 20so68988pxi.27 for <multiple recipients>; Tue, 07 Jun 2011 20:17:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.10.9 with SMTP id e9mr697477pbb.255.1307503068005; Tue, 07 Jun 2011 20:17:48 -0700 (PDT)
Received: by 10.68.50.39 with HTTP; Tue, 7 Jun 2011 20:17:47 -0700 (PDT)
In-Reply-To: <1307500800.70339.YahooMailNeo@web31810.mail.mud.yahoo.com>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <00f101cc255e$2d426020$87c72060$@packetizer.com> <BANLkTimn8c72p5bjwHNapW9kVCVBmNbC4w@mail.gmail.com> <1307486600.48324.YahooMailNeo@web31808.mail.mud.yahoo.com> <BANLkTi==5LjD7vW74tqB_sbSHrLjsJE6+A@mail.gmail.com> <4DEEAD76.2090800@adida.net> <BANLkTik7LyPWssAb0EBmx11hK53hiwgmrA@mail.gmail.com> <20110607234131.GI1565@sentinelchicken.org> <1307500800.70339.YahooMailNeo@web31810.mail.mud.yahoo.com>
Date: Tue, 7 Jun 2011 22:17:47 -0500
Message-ID: <BANLkTinGkTF35e9RQKjnR8=osZcNw5-8BQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "William J. Mills" <wmills@yahoo-inc.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Tim <tim-projects@sentinelchicken.org>, "http-state@ietf.org" <http-state@ietf.org>, OAuth WG <oauth@ietf.org>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2011 03:17:49 -0000

On Tue, Jun 7, 2011 at 9:40 PM, William J. Mills <wmills@yahoo-inc.com> wrote:
> It is possible to implement decent security with MAC, it is also possible to

Not as specified.  See earlier posts regarding active attacks.

> screw it up.  It is far more difficult (impossible?) to implement decent
> security with cookies over HTTP.

Assuming well-behaved browsers that understand the distinction between
"secure" and non-secure cookies, and assuming that active attacks are
often no more difficult than passive attacks, what does MAC without
TLS add that cookies don't provide?

Nico
--