IETF Logo Mail Archive

Re: [apps-discuss] HTTP MAC Authentication Scheme

Mark Nottingham <mnot@mnot.net> Wed, 01 June 2011 00:08 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D573CE08EC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 31 May 2011 17:08:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.219
X-Spam-Level:
X-Spam-Status: No, score=-9.219 tagged_above=-999 required=5 tests=[AWL=1.380, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KQyf2o3Y9swf for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 31 May 2011 17:08:51 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 70E8CE08FB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 31 May 2011 17:08:47 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1QRYqR-0003VR-0x for ietf-http-wg-dist@listhub.w3.org; Tue, 31 May 2011 23:59:31 +0000
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <mnot@mnot.net>) id 1QRYot-0003Q6-Tv for ietf-http-wg@listhub.w3.org; Tue, 31 May 2011 23:57:56 +0000
Received: from mxout-08.mxes.net ([216.86.168.183]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1QRYoo-0000Qw-25 for ietf-http-wg@w3.org; Tue, 31 May 2011 23:57:55 +0000
Received: from chancetrain-lm.mnot.net (unknown [118.209.19.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 6CD2D509DB; Tue, 31 May 2011 19:57:22 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="windows-1252"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Wed, 01 Jun 2011 09:57:19 +1000
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Ben Adida <ben@adida.net>, "http-state@ietf.org" <http-state@ietf.org>, OAuth WG <oauth@ietf.org>, "'Adam Barth (adam@adambarth.com)'" <adam@adambarth.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EF1DF135-708B-4244-AA3A-020761EDB290@mnot.net>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <eran@hueniverse.com>
X-Mailer: Apple Mail (2.1084)
Received-SPF: pass client-ip=216.86.168.183; envelope-from=mnot@mnot.net; helo=mxout-08.mxes.net
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1QRYoo-0000Qw-25 73a7295d9794f517117c310a2396e374
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [apps-discuss] HTTP MAC Authentication Scheme
Archived-At: <http://www.w3.org/mid/EF1DF135-708B-4244-AA3A-020761EDB290@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/10600
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1QRYqR-0003VR-0x@frink.w3.org>
Resent-Date: Tue, 31 May 2011 23:59:31 +0000

Hi,

Reading draft -05.

The "normalized request string" contains the request-URI and values extracted from the Host header. Be aware that intermediaries can and do change these; e.g., they may change an absolute URI to a relative URI in the request-line, without affecting the semantics of the request. See [1] for details (it covers other problematic conditions too).

It would be more robust to calculate an effective request URI, as in [2].

Also, if you include a hash of the request body, you really need to include a hash of the body media type.

Generally, I think that people can and will want to include other headers; just because *some* developers can't get this right doesn't mean we should preclude *all* developers from doing it. It'd be really nice to see this either leverage DOSETA [3][4], or at least offer a clean transition path to it.

Regards,

1. http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-14#section-4.1.2
2. http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-14#section-4.3
3. http://tools.ietf.org/html/draft-crocker-dkim-doseta-00
4. http://tools.ietf.org/html/draft-crocker-doseta-base-02


On 10/05/2011, at 5:22 AM, Eran Hammer-Lahav wrote:

> (Please discuss this draft on the Apps-Discuss <apps-discuss@ietf.org> mailing list)
>  
> http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token
>  
> The draft includes:
>  
> * An HTTP authentication scheme using a MAC algorithm to authenticate requests (via a pre-arranged MAC key).
> * An extension to the Set-Cookie header, providing a method for associating a MAC key with a session cookie.
> * An OAuth 2.0 binding, providing a method of returning MAC credentials as an access token.
>  
> Some background: OAuth 1.0 introduced an HTTP authentication scheme using HMAC for authenticating an HTTP request with partial cryptographic protection of the HTTP request (namely, the request URI, host, and port). The OAuth 1.0 scheme was designed for delegation-based use cases, but is widely “abused” for simple client-server authentication (the poorly named ‘two-legged’ use case). This functionality has been separated from OAuth 2.0 and has been reintroduced as a standalone, generally applicable HTTP authentication scheme called MAC.
>  
> Comments and feedback is greatly appreciated.
>  
> EHL
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss

--
Mark Nottingham   http://www.mnot.net/

v2.23.0 | Report a Bug | By Email