W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

RE: [http-state] [apps-discuss] HTTP MAC Authentication Scheme

From: Paul E. Jones <paulej@packetizer.com>
Date: Mon, 6 Jun 2011 23:25:54 -0400
To: "'Nico Williams'" <nico@cryptonector.com>, "'Eran Hammer-Lahav'" <eran@hueniverse.com>
Cc: <apps-discuss@ietf.org>, "'Ben Adida'" <ben@adida.net>, "'Adam Barth'" <adam@adambarth.com>, <http-state@ietf.org>, "'HTTP Working Group'" <ietf-http-wg@w3.org>, "'OAuth WG'" <oauth@ietf.org>
Message-ID: <09c801cc24c2$a05bae00$e1130a00$@packetizer.com>
Nico,

Sorry for coming into this so late, but I just saw this message.

I don't have all of the background, but when I saw this message header and
some of the dialog, it seems there is a desire to provide some level of
authentication to requests and/or responses between the clients and servers.

Gonzalo and I worked on this:
https://tools.ietf.org/html/draft-salgueiro-secure-state-management-04

This may not be entirely complete, but the idea was to allow a client and
server to establish an association so that requests and responses could be
authenticated.  Is this something along the lines of what you are
discussing, or is this an entirely different application?

Paul

> -----Original Message-----
> From: http-state-bounces@ietf.org [mailto:http-state-bounces@ietf.org]
> On Behalf Of Nico Williams
> Sent: Friday, May 20, 2011 4:25 PM
> To: Eran Hammer-Lahav
> Cc: apps-discuss@ietf.org; Ben Adida; Adam Barth (adam@adambarth.com);
> http-state@ietf.org; HTTP Working Group; OAuth WG
> Subject: Re: [http-state] [apps-discuss] HTTP MAC Authentication Scheme
> 
> Additional comments:
> 
>  - Using nonces for replay protection is heavy-duty.  It is difficult to
> implement a reliable, secure, high-performance replay cache.  (It is
> easy to implement just a high-performance replay cache: use
> memcache.)
> 
>    I recommend an option to use sequence numbers at the server's choice,
> understanding, of course, that requests will not be received in
> sequence.  The use of a sliding sequence number window makes it possible
> to do at least as well as when using nonce, and probably faster while
> still being secure.
> 
>  - In an open wifi environment active attacks may not be very difficult,
> thus an option to secure more than just a handful of bits from the
> request, would be nice (all of the request and all of the response,
> say).  The hard part is how to decide when to use one or the other.
> Ideally browsers can request more protection when the network is
> reconfigured such that there's one or more clear wifi interfaces.
> 
> Nico
> --
> _______________________________________________
> http-state mailing list
> http-state@ietf.org
> https://www.ietf.org/mailman/listinfo/http-state
Received on Tuesday, 7 June 2011 03:26:39 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:41 GMT