W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme

From: Nico Williams <nico@cryptonector.com>
Date: Tue, 7 Jun 2011 16:20:51 -0500
Message-ID: <BANLkTikDj_0mg4Ov-3u5JeK7hFLY1WYg9Q@mail.gmail.com>
To: igor.faynberg@alcatel-lucent.com
Cc: Adam Barth <ietf@adambarth.com>, apps-discuss@ietf.org, Ben Adida <ben@adida.net>, http-state@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
On Tue, Jun 7, 2011 at 1:41 PM, Igor Faynberg
<igor.faynberg@alcatel-lucent.com> wrote:
> Adam Barth wrote:
>> Sorry.  We can't address active attackers using this mechanism.  If
>> you need protection from active attackers, please use TLS.
>
> Actually, IPsec will work here (with WiFi networks) just as well.  It is

Not really.  See RFCs 5660, 5386, and 5387.  If only RFC5660 were
widely implemented... but it's not.

> also true that we COULD develop both the authentication and confidentiality
> mechanisms that would offer protection from both active and passive
> attackers; it is just that we CHOSE (in opinion, correctly) not to do that
> because other Internet protocols already do that.

And rightly so.  As we've learned from SASL, having an option for
security layers (the "SL" in SASL) at multiple network layers only
adds unnecessary complications.

Nico
--
Received on Tuesday, 7 June 2011 21:21:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:41 GMT