Re: [http-state] [apps-discuss] [OAUTH-WG] HTTP MAC Authentication Scheme
Breno de Medeiros <breno@google.com> Wed, 08 June 2011 22:26 UTC
Return-Path: <breno@google.com>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70CF21F0C49 for <http-state@ietfa.amsl.com>; Wed, 8 Jun 2011 15:26:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vpamztwj4mWB for <http-state@ietfa.amsl.com>; Wed, 8 Jun 2011 15:26:20 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by ietfa.amsl.com (Postfix) with ESMTP id 948FA1F0C3C for <http-state@ietf.org>; Wed, 8 Jun 2011 15:26:15 -0700 (PDT)
Received: from hpaq13.eem.corp.google.com (hpaq13.eem.corp.google.com [172.25.149.13]) by smtp-out.google.com with ESMTP id p58MQ9fM007204 for <http-state@ietf.org>; Wed, 8 Jun 2011 15:26:09 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1307571970; bh=Eh29TvEYVQ8aLUKnXlMEK0zOZd0=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=d8itGDXMLmsuc7ob3q10wKFB03iqJmVR3B8ti/rbX82dP1j8bKacQF+DeM7XAjT7n KIeFh95KDi+dkMVsXORjw==
Received: from yxe1 (yxe1.prod.google.com [10.190.2.1]) by hpaq13.eem.corp.google.com with ESMTP id p58MPAFE005316 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <http-state@ietf.org>; Wed, 8 Jun 2011 15:26:04 -0700
Received: by yxe1 with SMTP id 1so628964yxe.2 for <http-state@ietf.org>; Wed, 08 Jun 2011 15:26:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=ZEsXVsGWrIac74D30ZKaoEDizHGk1RowbHXYAqBKR1M=; b=MfLx12RjC8/hLjbuSlfKkp92zufQaTO3AE6AWph30mgZJN97DEOZSbInUf7pbUGL0W wvmKwbN2oSxq/xF926fg==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=EQA+Ot4PSZWr110iCbLGG7r5IGrdwo2SnOwovSDOaNjJLPnJz/9Ps9Wn0gaFqFOVtD jQyxtsbKEY3dnWZ1F/JQ==
MIME-Version: 1.0
Received: by 10.101.1.2 with SMTP id d2mr16581ani.9.1307571963776; Wed, 08 Jun 2011 15:26:03 -0700 (PDT)
Received: by 10.100.244.26 with HTTP; Wed, 8 Jun 2011 15:26:03 -0700 (PDT)
In-Reply-To: <BANLkTi=0Ra3zv3ViZyxRJSPtmnQh4v5eRQ@mail.gmail.com>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <00f101cc255e$2d426020$87c72060$@packetizer.com> <BANLkTimn8c72p5bjwHNapW9kVCVBmNbC4w@mail.gmail.com> <1307486600.48324.YahooMailNeo@web31808.mail.mud.yahoo.com> <BANLkTi==5LjD7vW74tqB_sbSHrLjsJE6+A@mail.gmail.com> <4DEEAD76.2090800@adida.net> <BANLkTik7LyPWssAb0EBmx11hK53hiwgmrA@mail.gmail.com> <20110607234131.GI1565@sentinelchicken.org> <BANLkTi=0Ra3zv3ViZyxRJSPtmnQh4v5eRQ@mail.gmail.com>
Date: Wed, 08 Jun 2011 15:26:03 -0700
Message-ID: <BANLkTi=98GodWuNCfU9bKZ389B7QG3ow+OjJHH9zCKF8tn8TDA@mail.gmail.com>
From: Breno de Medeiros <breno@google.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
X-Mailman-Approved-At: Fri, 10 Jun 2011 08:03:35 -0700
Cc: Tim <tim-projects@sentinelchicken.org>, "http-state@ietf.org" <http-state@ietf.org>, OAuth WG <oauth@ietf.org>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: [http-state] [apps-discuss] [OAUTH-WG] HTTP MAC Authentication Scheme
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2011 22:26:20 -0000
On Tue, Jun 7, 2011 at 17:07, Nico Williams <nico@cryptonector.com> wrote: > On Tue, Jun 7, 2011 at 6:41 PM, Tim <tim-projects@sentinelchicken.org> wrote: >> I have to agree with Nico here. In almost all cases I assert that, on >> typical modern networks: >> >> let P = difficulty of passive attack >> let M = difficulty of active (man-in-the-middle) attack >> >> O(P) = O(M) >> . >> >> This isn't to say the "real world" difficulty of an active attack is >> just as easy, but it is within a constant factor. If someone has >> published a tool that conducts MitM attacks for the specific protocol >> you're dealing with, the difference in difficulty clearly becomes >> marginal. Consider the complexity of the attacks implemented by >> sslstrip and yet the relative ease with which you can use it to MitM >> all SSL connections. > > Exactly, and very well put. > > Active attacks sound harder, and they do actually require more work, > but in many cases that work can be automated, and once automated there > can be no difference in effort required to mount an active attack > versus a passive one. > > Do we suppose that this proposal can get past secdir, IESG, and IETF > reviews as-is? I doubt it. > > Here's another issue: some of you are saying that an application using > this extension will be using TLS for some things but not others, which > presumes a TLS session. Does using TLS _with_ session resumption > _and_ HTTP/1.1 pipelining for all requests really cost that much more > in latency and compute (and electric) power than the proposed > alternative? I seriously doubt it, and I'd like to see some real > analysis showing that I'm wrong before I'd accept such a rationale for > this sort of proposal. Google has performed detailed analysis of SSL performance after several optimizations and we have concluded that the answer is 'no significant overhead' as you suggest. Indeed, in some workload situations it may be actually cheaper to serve SSL traffic because there is reduction in network latency by avoiding bad proxies. We have published some results here: http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html > > Or perhaps the motivation relates to accidental leakage of "secure" > cookies in non-secure contexts. But why not just fix the clients in > that case? > > Nico > -- > _______________________________________________ > apps-discuss mailing list > apps-discuss@ietf.org > https://www.ietf.org/mailman/listinfo/apps-discuss > -- --Breno
- [http-state] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Eran Hammer-Lahav
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Mark Nottingham
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Eran Hammer-Lahav
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Stephen Farrell
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Mark Nottingham
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Adam Barth
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Eran Hammer-Lahav
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Mark Nottingham
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Stephen Farrell
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Dave CROCKER
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Adam Barth
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Adam Barth
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [apps-discuss] [OAUTH-WG] HTTP M… Mark Nottingham
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] [OAUTH-WG] HTTP M… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Igor Faynberg
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… William J. Mills
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Randy Fischer
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… William J. Mills
- Re: [http-state] [apps-discuss] [OAUTH-WG] HTTP M… Breno de Medeiros
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Tim
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Tim
- Re: [http-state] [apps-discuss] [OAUTH-WG] HTTP M… Bjartur Thorlacius
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Tim