Re: [websec] HTTP Integrity header / Session Continuation scheme

Phillip Hallam-Baker <> Thu, 22 November 2012 16:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0FC6621F8764 for <>; Thu, 22 Nov 2012 08:58:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.492
X-Spam-Status: No, score=-3.492 tagged_above=-999 required=5 tests=[AWL=-1.134, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_LWSHORTT=1.24]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AQSTJvEXZ09K for <>; Thu, 22 Nov 2012 08:58:56 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 8450C21F8756 for <>; Thu, 22 Nov 2012 08:58:56 -0800 (PST)
Received: by with SMTP id fc26so608899vbb.31 for <>; Thu, 22 Nov 2012 08:58:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Y4pLzp7w84cBbN565vvvDs2M4y0uzH4N+91aOC8pwSM=; b=tP1oqNArwut2wLH7oJX8+eF64wftym0PQOHsVCu8HrDmAVJWlKKZBRxWeSAolyF+4l So8X6reYcFtTyikkJBu8L3SIadw2NK5QKS6Ck94qpEUHs8NZ4bcKaGovHapiFsLlNhaM k/Cf0d0oFt5Kg76mhCdytNcUXmRJcHwwWxl95bNHA7NV/M8UUn6DdgYREW0aSqC7l0Zh AJIqdxJMQ7tw6Qkl+aNKl04DcjGk/XuCl1OkDqv+kK5d+E6oIZMyFDJLPB81aTFBpBwx tjMb5ELIaPpvQSY9dWCcqPwr08fU9vMvz4sXJbaE4UBT93HIExzcy605/Dm8uvJct8wX M/kQ==
MIME-Version: 1.0
Received: by with SMTP id h16mr1526710vdf.82.1353603535749; Thu, 22 Nov 2012 08:58:55 -0800 (PST)
Received: by with HTTP; Thu, 22 Nov 2012 08:58:55 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Thu, 22 Nov 2012 11:58:55 -0500
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Hannes Tschofenig <>
Content-Type: multipart/alternative; boundary="20cf3079bb0aea418104cf18618e"
Cc: websec <>
Subject: Re: [websec] HTTP Integrity header / Session Continuation scheme
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Nov 2012 16:58:58 -0000

No, I am not re-inventing OAuth any more than they are re-inventing Digest.

OAuth like all the rest of the Web Authentication schemes (yeah I know they
claim to only do AuthZ but that was a necessary fiction) has to fight with
the fact that HTTP infrastructure is not adapted well. So the scheme is
split over three layers.

On Fri, Nov 16, 2012 at 9:41 AM, Hannes Tschofenig <> wrote:

> Phillip,
> you are re-inventing OAuth. In your draft you have pretty much written a
> copy of
> You also include a MAC over the HTTP body. Folks in the OAuth community
> tried that as well and it did not work out too well since intermediaries
> mess around with the body.
> You also have to selectively cover the header field and the
> canonicalization has caused problems for developers.


This is designed for authentication binding in Web Services. Those almost
never go through an intermediary except for purposes of bypassing firewalls.

In this case the desired behavior is to BREAK if the contents are tampered
with. The whole point is to detect modification by a MITM. If a proxy
changes a linebreak then the desired behavior is BREAK the protocol.

Yes, people who put up broken intermediaries are going to break protocols.
But that does not mean that we should drop requirements that are essential
in some environments.

> The MAC of only the headers unfortunately does not provide a lot of great
> properties for the security of the overall application solution since the
> valuable stuff is in the body.

Agreed, but there are cases where content is carried in headers in Web

> I believe that a solution that uses TLS is better, as Google is proposing,
> since it covers the entire communication (including confidentiality
> protection) and the TLS Record Layer itself does not lead to a huge
> computational overhead. The heavy part is the authentication and key
> exchange.

I don't think 'Google' is proposing anything, its individual participation,
remember. What they were proposing in HTTP-Bis was to use TLS all the time
so that they could avoid the need to think about intermediaries polluting
the channel. I think that is a perfectly sensible solution to the
intermediary problem but still does not address the problem of dealing with
Authorization at the transport layer.

TLS is useful but it hasn't got a viable client auth story and the binding
of TLS auth to the HTTP layer is really problematic.

Channel binding helps to an extent, but it still leaves the client auth
mechanism flapping in the breeze. What applications like Web Services would
have to do to use TLS is to bury their client credentials into the TLS
layer through APIs that mostly don't exist and then the servers would have
to fish them out - fighting the fact that in many cases the server end of
the TLS session terminates before the Web Service server (inescapable in
two and three tier server architectures).

> Ciao
> Hannes
> On Nov 14, 2012, at 8:53 PM, Phillip Hallam-Baker wrote:
> > There is a new draft at:
> >
> >
> > One of the biggest holes in the Web Security scheme is the fact that
> cookies end up being used as bearer tokens and this is a very, very bad
> idea. It leads to all sorts of cookie stealing schemes which are very hard
> to deal with because while the HTTP stack is simple, the Web stack of HTTP
> + HTML + JavaScript + Random plugins is very complicated and many parts
> were originally designed by people who didn't know what the rest did.
> >
> > While we cannot move to eliminate cookies overnight, there are some
> companies with affiliate schemes that are loosing seven or eight figure
> sums each year in affiliate fraud. If even one of the major browsers
> supported a mechanism that prevented cookie stealing, they would see an
> instant return.
> >
> >
> > The scheme described in the draft is NOT an authentication scheme,
> rather it describes one small part of the authentication scheme, the part
> that allows an authentication/authorization context established in one
> protocol exchange to be continued into further transactions.
> >
> > The mechanism by which the authentication context is established is
> outside the scope of the draft because that is an area where there can be a
> lot of useful variation. If an organization has a Kerberos server or SAML
> infrastructure already then it makes sense to use those. There is never
> going to be a single canonical means of managing user credentials or
> presenting/validating them.
> >
> > But when you look at how a good authentication mechanism continues on
> from the point the session has been established it pretty much boils down
> to some form of identifier to specify the session and some sort of shared
> secret used to create a result that authenticates the session. We can add
> in additional information such as nonces and time values and counters and
> the like to prevent replay attacks but these are generic mechanisms that
> can be used to the same effect whether we used Kerberos, OpenID, SAML or
> some newfangled scheme to set up the context.
> >
> >
> > I am not quite sure where this would be best progressed. In the short
> term I was thinking of applying for a provisional HTTP header assignment so
> that I can start using it in the Web Service protocol I am writing
> (omnibroker). But right now the scheme could fit in WebSec or could fit in
> HTTPbis or even the proposed Web Authentication WG.
> >
> > Regardless of where the work ends up, I think it is clear that if we are
> going to specify any new HTTP authentication schemes we are going to end up
> addressing the issue of session continuation somewhere and that the
> eventual solution needs to be reviewed by the people in all three places
> (if they are distinct persons).
> >
> >
> > --
> > Website:
> >
> > _______________________________________________
> > websec mailing list
> >
> >