[apps-discuss] HTTP MAC Authentication Scheme

Eran Hammer-Lahav <eran@hueniverse.com> Mon, 09 May 2011 19:22 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1A278E079A for <apps-discuss@ietfa.amsl.com>; Mon, 9 May 2011 12:22:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.744
X-Spam-Status: No, score=-2.744 tagged_above=-999 required=5 tests=[AWL=-0.146, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id a0s1FyFlezmn for <apps-discuss@ietfa.amsl.com>; Mon, 9 May 2011 12:22:35 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net []) by ietfa.amsl.com (Postfix) with SMTP id DEDF8E0692 for <apps-discuss@ietf.org>; Mon, 9 May 2011 12:22:35 -0700 (PDT)
Received: (qmail 24965 invoked from network); 9 May 2011 19:22:35 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) ( by p3plex1out01.prod.phx3.secureserver.net with SMTP; 9 May 2011 19:22:35 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([]) with mapi; Mon, 9 May 2011 12:22:27 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "apps-discuss@ietf.org" <apps-discuss@ietf.org>
Date: Mon, 9 May 2011 12:22:23 -0700
Thread-Topic: HTTP MAC Authentication Scheme
Thread-Index: AcwOfmxmPIi74XcpSTyynQcwm/I2bw==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723447581DA8EAP3PW5EX1MB01E_"
MIME-Version: 1.0
Cc: Ben Adida <ben@adida.net>, "http-state@ietf.org" <http-state@ietf.org>, OAuth WG <oauth@ietf.org>, "'Adam Barth \(adam@adambarth.com\)'" <adam@adambarth.com>, HTTP Working Group <ietf-http-wg@w3.org>
Subject: [apps-discuss] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 May 2011 19:22:41 -0000

(Please discuss this draft on the Apps-Discuss <apps-discuss@ietf.org> mailing list)


The draft includes:

* An HTTP authentication scheme using a MAC algorithm to authenticate requests (via a pre-arranged MAC key).
* An extension to the Set-Cookie header, providing a method for associating a MAC key with a session cookie.
* An OAuth 2.0 binding, providing a method of returning MAC credentials as an access token.

Some background: OAuth 1.0 introduced an HTTP authentication scheme using HMAC for authenticating an HTTP request with partial cryptographic protection of the HTTP request (namely, the request URI, host, and port). The OAuth 1.0 scheme was designed for delegation-based use cases, but is widely "abused" for simple client-server authentication (the poorly named 'two-legged' use case). This functionality has been separated from OAuth 2.0 and has been reintroduced as a standalone, generally applicable HTTP authentication scheme called MAC.

Comments and feedback is greatly appreciated.