Re: [OAUTH-WG] MAC: Cookie name or value as MAC key id
Adam Barth <ietf@adambarth.com> Tue, 14 June 2011 07:59 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4202611E8092 for <oauth@ietfa.amsl.com>; Tue, 14 Jun 2011 00:59:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.389
X-Spam-Level:
X-Spam-Status: No, score=-3.389 tagged_above=-999 required=5 tests=[AWL=-0.412, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JMPPBxHT0gfC for <oauth@ietfa.amsl.com>; Tue, 14 Jun 2011 00:59:08 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 8F9DC11E8070 for <oauth@ietf.org>; Tue, 14 Jun 2011 00:59:08 -0700 (PDT)
Received: by iyn15 with SMTP id 15so6110509iyn.31 for <oauth@ietf.org>; Tue, 14 Jun 2011 00:59:08 -0700 (PDT)
Received: by 10.231.29.101 with SMTP id p37mr6776826ibc.3.1308038348055; Tue, 14 Jun 2011 00:59:08 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id gb8sm3202587ibb.9.2011.06.14.00.59.06 (version=SSLv3 cipher=OTHER); Tue, 14 Jun 2011 00:59:07 -0700 (PDT)
Received: by iwn39 with SMTP id 39so6104287iwn.31 for <oauth@ietf.org>; Tue, 14 Jun 2011 00:59:06 -0700 (PDT)
Received: by 10.42.100.141 with SMTP id a13mr7205196ico.72.1308038346381; Tue, 14 Jun 2011 00:59:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.42.52.4 with HTTP; Tue, 14 Jun 2011 00:53:11 -0700 (PDT)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E112867EF000@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E112867EEDE0@WSMSG3153V.srv.dir.telstra.com> <BANLkTi=fWxjWY1dmA=Js+_gdw2jPdHcxnw@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E112867EF000@WSMSG3153V.srv.dir.telstra.com>
From: Adam Barth <ietf@adambarth.com>
Date: Tue, 14 Jun 2011 00:53:11 -0700
Message-ID: <BANLkTik3FP-R6yr+a4zYj_OR+1y7UQ0tSA@mail.gmail.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] MAC: Cookie name or value as MAC key id
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2011 07:59:09 -0000
On Mon, Jun 13, 2011 at 7:17 PM, Manger, James H <James.H.Manger@team.telstra.com> wrote: >>> This is a bit hacky, too hacky. Wouldn't it be better for a client that >>> recognizes a special MAC cookie to use it to construct Authorization headers >>> and omit it from Cookie headers? > >> Nope. Sending the value in the Cookie header is important to help >> servers implement this scheme without breaking themselves. > > Why? How? Could you explain this a bit more? > > Is this so the cookie can be reused as a session id that load balancers can use to implement "sticky" sessions? A key id doesn't sound like a great session id. Wouldn't a separate session cookie be better? > > Is this so a server can issue MAC credentials, but still accept clients that are unaware of the MAC scheme? That seems possible either way. > > Is this so a central security server can start issuing MAC credentials while some of its content servers don't understand MAC and just treat the key id as a bearer token? That sounds bad -- client's think they are getting MAC security when they are not. Most folks who run web sites use cookies to generate sessions. These folks will layer the MAC protections on top of their existing systems by adding a couple cookie attributes and verifying an HMAC. If we removed the MAC cookie from the Cookie header, the Cookie header would be different in supporting and legacy user agents, causing pain and misery. It might be instructive to try using MAC in a real deployment. You'll see immediately why this behavior is preferable. Adam
- Re: [OAUTH-WG] MAC: Cookie name or value as MAC k… Manger, James H
- [OAUTH-WG] MAC: Cookie name or value as MAC key id Manger, James H
- Re: [OAUTH-WG] MAC: Cookie name or value as MAC k… Adam Barth
- Re: [OAUTH-WG] MAC: Cookie name or value as MAC k… Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC: Cookie name or value as MAC k… Adam Barth
- [OAUTH-WG] FW: MAC: Cookie name or value as MAC k… Manger, James H
- Re: [OAUTH-WG] FW: MAC: Cookie name or value as M… Adam Barth
- Re: [OAUTH-WG] FW: MAC: Cookie name or value as M… Eran Hammer-Lahav
- Re: [OAUTH-WG] FW: MAC: Cookie name or value as M… Manger, James H
- Re: [OAUTH-WG] FW: MAC: Cookie name or value as M… Eran Hammer-Lahav
- Re: [OAUTH-WG] FW: MAC: Cookie name or value as M… Manger, James H
- Re: [OAUTH-WG] FW: MAC: Cookie name or value as M… Eran Hammer-Lahav
- Re: [OAUTH-WG] FW: MAC: Cookie name or value as M… Adam Barth