Re: [http-state] [apps-discuss] HTTP MAC Authentication Scheme
Nico Williams <nico@cryptonector.com> Tue, 07 June 2011 22:35 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: http-state@ietfa.amsl.com
Delivered-To: http-state@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 239EE11E8106; Tue, 7 Jun 2011 15:35:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 57W7uQ8AqLLf; Tue, 7 Jun 2011 15:35:32 -0700 (PDT)
Received: from homiemail-a32.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by ietfa.amsl.com (Postfix) with ESMTP id 76BAB11E8101; Tue, 7 Jun 2011 15:35:32 -0700 (PDT)
Received: from homiemail-a32.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTP id 4BC8758406E; Tue, 7 Jun 2011 15:35:32 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=JEyiIBgiin5z8haGINQAbeKV7LnYLLj9la/5VqpGmtiC HqABRuY2t78iKmycNevV70Y5p0mldhjlVYo+JMbzeuIANn+AXjUzbzrDSoc/4/9f deQButTh+mP8finqk4MDtWPeMMp7LihyfE3EO77MIojlrI5KOaJ/jl1BVyxSLRQ=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=8HZt5XI9AHWjWME8qN2YQPuzDtI=; b=KO60gFwsH88 GwmJvpm0CWkAk8Rj08qwgZzOMkRtUiQ0k7o8WemQLD0mSnhFGRxcxrKKkh6e2uEb kApEk2o734qMMG7oIH9WjGwWYO7ADlydSUwBBgLiEDkD1Y5pqXI9/8ug7+BWYktl PLg3HyPrs0wykTfEODAFaD6nfp8wfCbM=
Received: from mail-pv0-f172.google.com (mail-pv0-f172.google.com [74.125.83.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTPSA id 2169A584059; Tue, 7 Jun 2011 15:35:32 -0700 (PDT)
Received: by pvh18 with SMTP id 18so1223953pvh.31 for <multiple recipients>; Tue, 07 Jun 2011 15:35:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.14.103 with SMTP id o7mr461586pbc.523.1307486131806; Tue, 07 Jun 2011 15:35:31 -0700 (PDT)
Received: by 10.68.50.39 with HTTP; Tue, 7 Jun 2011 15:35:31 -0700 (PDT)
In-Reply-To: <00f101cc255e$2d426020$87c72060$@packetizer.com>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <00f101cc255e$2d426020$87c72060$@packetizer.com>
Date: Tue, 07 Jun 2011 17:35:31 -0500
Message-ID: <BANLkTimn8c72p5bjwHNapW9kVCVBmNbC4w@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "Paul E. Jones" <paulej@packetizer.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: apps-discuss@ietf.org, Ben Adida <ben@adida.net>, Eran Hammer-Lahav <eran@hueniverse.com>, Adam Barth <adam@adambarth.com>, http-state@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
Subject: Re: [http-state] [apps-discuss] HTTP MAC Authentication Scheme
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2011 22:35:33 -0000
On Tue, Jun 7, 2011 at 4:59 PM, Paul E. Jones <paulej@packetizer.com> wrote: > I fully agree with you that using TLS is usually preferred. That said, we encounter situations where there were a large number of client/server interactions and the data conveyed is not confidential information in any way. Using TLS can significantly decreases server performance, particularly when there are a number of separate connections that are established and broken. > > So, we were trying to find a non-TLS solution that still provides a way to ensure the server can identify the user and that both can verify that data has not been tampered in flight. (It would still be preferred to establish security relations with TLS, though we were open to other solutions.) I don't see the point of having a MAC instead of a cookie for HTTP requests sent without TLS, not unless you cover enough of the request (and response). Of course, you'll want two different cookies -- one for HTTP and one for HTTPS. I think you've just convinced me that this MAC adds no value whatsoever. Nico --
- [http-state] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Eran Hammer-Lahav
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Mark Nottingham
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Eran Hammer-Lahav
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Stephen Farrell
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Mark Nottingham
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Adam Barth
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Eran Hammer-Lahav
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Mark Nottingham
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Stephen Farrell
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Dave CROCKER
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Adam Barth
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Adam Barth
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [apps-discuss] [OAUTH-WG] HTTP M… Mark Nottingham
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] [OAUTH-WG] HTTP M… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Igor Faynberg
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… William J. Mills
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Randy Fischer
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… William J. Mills
- Re: [http-state] [apps-discuss] [OAUTH-WG] HTTP M… Breno de Medeiros
- Re: [http-state] [OAUTH-WG] [apps-discuss] HTTP M… Tim
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Tim
- Re: [http-state] [apps-discuss] [OAUTH-WG] HTTP M… Bjartur Thorlacius
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Tim