W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

Re: [http-state] [apps-discuss] HTTP MAC Authentication Scheme

From: Nico Williams <nico@cryptonector.com>
Date: Tue, 7 Jun 2011 17:33:34 -0500
Message-ID: <BANLkTin=cyoFoNnK0c+ss1OHFUjwcvbBsg@mail.gmail.com>
To: Adam Barth <ietf@adambarth.com>
Cc: "Paul E. Jones" <paulej@packetizer.com>, Eran Hammer-Lahav <eran@hueniverse.com>, apps-discuss@ietf.org, Ben Adida <ben@adida.net>, http-state@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
On Tue, Jun 7, 2011 at 4:24 PM, Adam Barth <ietf@adambarth.com> wrote:
> I'm not sure that's appropriate for this mechanism.  What problem does
> channel binding solve?

CB is not appropriate for OAuth today, no, because OAuth doesn't give
you mutual authentication, which means channel binding can't be done
either (well, not with any security guarantees).

You missed my point however: I don't really want to see a specific
purpose MAC here because I do believe it's generalizable, and if we
don't generalize it now we'll just have more special casing in code
later.  For a general MAC I'd want an option for CB (when TLS is used,
of course).

Nico
--
Received on Tuesday, 7 June 2011 22:34:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:41 GMT