W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

RE: [apps-discuss] HTTP MAC Authentication Scheme

From: Eran Hammer-Lahav <eran@hueniverse.com>
Date: Thu, 2 Jun 2011 08:44:35 -0700
To: Mark Nottingham <mnot@mnot.net>
CC: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Ben Adida <ben@adida.net>, "http-state@ietf.org" <http-state@ietf.org>, OAuth WG <oauth@ietf.org>, "'Adam Barth (adam@adambarth.com)'" <adam@adambarth.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723447583CA782@P3PW5EX1MB01.EX1.SECURESERVER.NET>


> -----Original Message-----
> From: Mark Nottingham [mailto:mnot@mnot.net]
> Sent: Wednesday, June 01, 2011 5:16 PM
> To: Eran Hammer-Lahav
> Cc: apps-discuss@ietf.org; Ben Adida; http-state@ietf.org; OAuth WG;
> 'Adam Barth (adam@adambarth.com)'; HTTP Working Group
> Subject: Re: [apps-discuss] HTTP MAC Authentication Scheme
> 
> 
> On 02/06/2011, at 1:00 AM, Eran Hammer-Lahav wrote:
> 
> > This was suggested before, but are there really attack vectors for this?
> 
> If not having a current, working attack to demonstrate is a valid way to shrug
> off a security concern, that's great; it'll be a useful approach to many of the
> discussions I have. :)

No, but its valid as long as it is fully documented. We're not going to solve everything.

> > The problem is that content-type is a pretty flexible header, which means
> normalization of the header will be required (case, parameter order, white
> space, etc.).
> 
> The media type is the important part, and it's much more constrained.

So include just the:

	type "/" subtype

forced to lowercase?

> 
> > I would argue that if you are using MAC with body hash and an attacker
> changing the media type can cause harm, you should use additional methods
> to secure the content-type (such as making the body self-describing).
> 
> 
> That seems like a step backwards, considering all of the work that Adam has
> put into limiting the use of sniffing.

I wasn't suggesting sniffing.

EHL

> Cheers,
> 
> --
> Mark Nottingham   http://www.mnot.net/
> 
> 
Received on Thursday, 2 June 2011 15:46:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:41 GMT