Re: [http-state] [apps-discuss] HTTP MAC Authentication Scheme
Adam Barth <ietf@adambarth.com> Tue, 07 June 2011 21:24 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 346F41F0C36; Tue, 7 Jun 2011 14:24:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.727
X-Spam-Level:
X-Spam-Status: No, score=-4.727 tagged_above=-999 required=5 tests=[AWL=-1.750, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vqAO8ic83vEo; Tue, 7 Jun 2011 14:24:43 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7BABC1F0657; Tue, 7 Jun 2011 14:24:43 -0700 (PDT)
Received: by iyn15 with SMTP id 15so6346666iyn.31 for <multiple recipients>; Tue, 07 Jun 2011 14:24:42 -0700 (PDT)
Received: by 10.42.1.82 with SMTP id 18mr11300549icf.274.1307481882488; Tue, 07 Jun 2011 14:24:42 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id w11sm2321212ibw.41.2011.06.07.14.24.41 (version=SSLv3 cipher=OTHER); Tue, 07 Jun 2011 14:24:41 -0700 (PDT)
Received: by iyn15 with SMTP id 15so6346595iyn.31 for <multiple recipients>; Tue, 07 Jun 2011 14:24:41 -0700 (PDT)
Received: by 10.42.177.4 with SMTP id bg4mr10324481icb.164.1307481881104; Tue, 07 Jun 2011 14:24:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.42.229.196 with HTTP; Tue, 7 Jun 2011 14:24:10 -0700 (PDT)
In-Reply-To: <BANLkTimB6F17OfC7J6jccDsd6Zv0T6tE3w@mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <BANLkTimNNwqs2VKM67V9NcBUV1ztvrqe3Q@mail.gmail.com> <BANLkTimB6F17OfC7J6jccDsd6Zv0T6tE3w@mail.gmail.com>
From: Adam Barth <ietf@adambarth.com>
Date: Tue, 07 Jun 2011 14:24:10 -0700
Message-ID: <BANLkTin7zQ2S_gO=dzrBd7Vn4i9AKuSe6A@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: apps-discuss@ietf.org, Ben Adida <ben@adida.net>, Eran Hammer-Lahav <eran@hueniverse.com>, http-state@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
Subject: Re: [http-state] [apps-discuss] HTTP MAC Authentication Scheme
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2011 21:24:44 -0000
On Tue, Jun 7, 2011 at 2:17 PM, Nico Williams <nico@cryptonector.com> wrote: > On Tue, Jun 7, 2011 at 1:30 PM, Adam Barth <ietf@adambarth.com> wrote: >> On Tue, Jun 7, 2011 at 10:35 AM, Nico Williams <nico@cryptonector.com> wrote: >>> I'm completely on-board with session state[*]. My comments were >>> particularly in regards to threat models. I believe that >>> eavesdroppers and active attackers both need to be considered, >>> particularly as we have so many open wifi networks. >> >> Sorry. We can't address active attackers using this mechanism. If >> you need protection from active attackers, please use TLS. > > I've already said as much now several times. However, I want channel > binding to TLS too. I'm not sure that's appropriate for this mechanism. What problem does channel binding solve? Adam >>> To me the simplest way to address the Internet threat model is to >>> always use TLS (except, maybe, for images and such elements that have >>> little or no security value, though one must be careful when making >>> that determination) and to use channel binding. See the I-D >>> referenced below. >> >> Indeed. This mechanism is for folks who cannot or will not deploy TLS. > > It has value outside TLS as well. Particularly if you're using an > authentication mechanism that can provide mutual authentication (which > OAuth doesn't do today, but I hear there's work in progress to add > mutual auth to it). And then you realize that you might want to do > something similar with other non-OAuth authentication methods, thus > the urge to generalize. > > Nico > -- >
- [http-state] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Eran Hammer-Lahav
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Mark Nottingham
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Eran Hammer-Lahav
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Stephen Farrell
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Mark Nottingham
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Adam Barth
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Eran Hammer-Lahav
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Mark Nottingham
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Stephen Farrell
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Dave CROCKER
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Adam Barth
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Adam Barth
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [apps-discuss] [OAUTH-WG] HTTP M… Mark Nottingham
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] [OAUTH-WG] HTTP M… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Igor Faynberg
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… William J. Mills
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Randy Fischer
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… William J. Mills
- Re: [http-state] [apps-discuss] [OAUTH-WG] HTTP M… Breno de Medeiros
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Tim
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Tim
- Re: [http-state] [apps-discuss] [OAUTH-WG] HTTP M… Bjartur Thorlacius
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Tim