Re: [http-state] [apps-discuss] HTTP MAC Authentication Scheme
Nico Williams <nico@cryptonector.com> Tue, 07 June 2011 17:38 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FC4711E80A7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 7 Jun 2011 10:38:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.977
X-Spam-Level:
X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5 tests=[AWL=4.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jn66KlenvYzF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 7 Jun 2011 10:38:31 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 58B7111E80AA for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 7 Jun 2011 10:38:31 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1QU0Dl-00071U-1q for ietf-http-wg-dist@listhub.w3.org; Tue, 07 Jun 2011 17:37:41 +0000
Received: from aji.keio.w3.org ([133.27.228.206]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <nico@cryptonector.com>) id 1QU0CY-0006xV-Bg for ietf-http-wg@listhub.w3.org; Tue, 07 Jun 2011 17:36:26 +0000
Received: from caiajhbdccah.dreamhost.com ([208.97.132.207] helo=homiemail-a73.g.dreamhost.com) by aji.keio.w3.org with esmtp (Exim 4.72) (envelope-from <nico@cryptonector.com>) id 1QU0CT-0005Lk-Pz for ietf-http-wg@w3.org; Tue, 07 Jun 2011 17:36:25 +0000
Received: from homiemail-a73.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a73.g.dreamhost.com (Postfix) with ESMTP id 5F08C1F0085 for <ietf-http-wg@w3.org>; Tue, 7 Jun 2011 10:35:54 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=w8IK2aGMWRP9XrsrgfCDepvGOFww6Y8qqUz9zVWp6f3M rryvqeEjSMsmkbkLFA1ty80S+oOFsZ6DWgKjlplQ+3cW/BMa0Gy7bgLrEulPkuqt V+9Smxm24Qu3/7jHi3M8CEIV2bofVEnulb4YmpT9qq7A4OvIY95tJVofpmFENMU=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=btKLDXJPPjTq3XZvKHfUdtb6H/A=; b=NzPxHv8LHsd 6CJrUKAMDSHIJIQ9+86/zXngVBVfNmvh/tc++dv2TfUgZAWFYJ6huSam02gQzzAQ 0JBS51TterCU1Rxn0M1Ahr6AVasLptnQ8rH/ixjkAMPWHgPPyieel25RvfnORUlj wtPVAov7F+9/wZXT5EFWuLt575INmwXw=
Received: from mail-pz0-f43.google.com (mail-pz0-f43.google.com [209.85.210.43]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a73.g.dreamhost.com (Postfix) with ESMTPSA id A38B11F0083 for <ietf-http-wg@w3.org>; Tue, 7 Jun 2011 10:35:53 -0700 (PDT)
Received: by pzk1 with SMTP id 1so3223694pzk.2 for <ietf-http-wg@w3.org>; Tue, 07 Jun 2011 10:35:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.37.3 with SMTP id u3mr295077pbj.456.1307468153080; Tue, 07 Jun 2011 10:35:53 -0700 (PDT)
Received: by 10.68.50.39 with HTTP; Tue, 7 Jun 2011 10:35:52 -0700 (PDT)
In-Reply-To: <09c801cc24c2$a05bae00$e1130a00$@packetizer.com>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com>
Date: Tue, 07 Jun 2011 12:35:52 -0500
Message-ID: <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "Paul E. Jones" <paulej@packetizer.com>
Cc: Eran Hammer-Lahav <eran@hueniverse.com>, apps-discuss@ietf.org, Ben Adida <ben@adida.net>, Adam Barth <adam@adambarth.com>, http-state@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: none client-ip=208.97.132.207; envelope-from=nico@cryptonector.com; helo=homiemail-a73.g.dreamhost.com
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, T_DKIM_INVALID=0.01
X-W3C-Scan-Sig: aji.keio.w3.org 1QU0CT-0005Lk-Pz dcd53ae0962b070e9d93a6aec2a79850
X-Original-To: ietf-http-wg@w3.org
Subject: Re: [http-state] [apps-discuss] HTTP MAC Authentication Scheme
Archived-At: <http://www.w3.org/mid/BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/10632
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1QU0Dl-00071U-1q@frink.w3.org>
Resent-Date: Tue, 07 Jun 2011 17:37:41 +0000
On Mon, Jun 6, 2011 at 10:25 PM, Paul E. Jones <paulej@packetizer.com> wrote: > Nico, > > Sorry for coming into this so late, but I just saw this message. > > I don't have all of the background, but when I saw this message header and > some of the dialog, it seems there is a desire to provide some level of > authentication to requests and/or responses between the clients and servers. > > Gonzalo and I worked on this: > https://tools.ietf.org/html/draft-salgueiro-secure-state-management-04 > > This may not be entirely complete, but the idea was to allow a client and > server to establish an association so that requests and responses could be > authenticated. Is this something along the lines of what you are > discussing, or is this an entirely different application? I'm completely on-board with session state[*]. My comments were particularly in regards to threat models. I believe that eavesdroppers and active attackers both need to be considered, particularly as we have so many open wifi networks. To me the simplest way to address the Internet threat model is to always use TLS (except, maybe, for images and such elements that have little or no security value, though one must be careful when making that determination) and to use channel binding. See the I-D referenced below. [*] See, for example: http://www.ietf.org/id/draft-williams-rest-gss-00.txt Nico --
- HTTP MAC Authentication Scheme Eran Hammer-Lahav
- RE: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Mark Nottingham
- Re: [apps-discuss] HTTP MAC Authentication Scheme Stephen Farrell
- RE: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Mark Nottingham
- Re: [apps-discuss] HTTP MAC Authentication Scheme Adam Barth
- RE: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Dave CROCKER
- Re: [apps-discuss] HTTP MAC Authentication Scheme Mark Nottingham
- Re: [apps-discuss] HTTP MAC Authentication Scheme Stephen Farrell
- RE: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Adam Barth
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Adam Barth
- RE: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Ben Adida
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Tim
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Randy Fischer
- RE: [http-state] [apps-discuss] HTTP MAC Authenti… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Mark Nottingham
- RE: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Breno de Medeiros
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- RE: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- RE: [http-state] [apps-discuss] HTTP MAC Authenti… Paul E. Jones
- Re: [http-state] [apps-discuss] HTTP MAC Authenti… Tim