W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

Re: [apps-discuss] HTTP MAC Authentication Scheme

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 3 Jun 2011 09:21:42 +1000
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Ben Adida <ben@adida.net>, "http-state@ietf.org" <http-state@ietf.org>, OAuth WG <oauth@ietf.org>, "'Adam Barth (adam@adambarth.com)'" <adam@adambarth.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <8AEC97B7-D39F-4234-A33C-533906E8485E@mnot.net>
To: Eran Hammer-Lahav <eran@hueniverse.com>

On 03/06/2011, at 1:44 AM, Eran Hammer-Lahav wrote:

> 
> 
>> -----Original Message-----
>> From: Mark Nottingham [mailto:mnot@mnot.net]
>> Sent: Wednesday, June 01, 2011 5:16 PM
>> To: Eran Hammer-Lahav
>> Cc: apps-discuss@ietf.org; Ben Adida; http-state@ietf.org; OAuth WG;
>> 'Adam Barth (adam@adambarth.com)'; HTTP Working Group
>> Subject: Re: [apps-discuss] HTTP MAC Authentication Scheme
>> 
>> 
>> On 02/06/2011, at 1:00 AM, Eran Hammer-Lahav wrote:
>> 
>>> This was suggested before, but are there really attack vectors for this?
>> 
>> If not having a current, working attack to demonstrate is a valid way to shrug
>> off a security concern, that's great; it'll be a useful approach to many of the
>> discussions I have. :)
> 
> No, but its valid as long as it is fully documented. We're not going to solve everything.
> 
>>> The problem is that content-type is a pretty flexible header, which means
>> normalization of the header will be required (case, parameter order, white
>> space, etc.).
>> 
>> The media type is the important part, and it's much more constrained.
> 
> So include just the:
> 
> 	type "/" subtype
> 
> forced to lowercase?


Think so.


> 
>> 
>>> I would argue that if you are using MAC with body hash and an attacker
>> changing the media type can cause harm, you should use additional methods
>> to secure the content-type (such as making the body self-describing).
>> 
>> 
>> That seems like a step backwards, considering all of the work that Adam has
>> put into limiting the use of sniffing.
> 
> I wasn't suggesting sniffing.
> 
> EHL
> 
>> Cheers,
>> 
>> --
>> Mark Nottingham   http://www.mnot.net/
>> 
>> 
> 

--
Mark Nottingham   http://www.mnot.net/
Received on Thursday, 2 June 2011 23:22:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:41 GMT