W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme

From: Nico Williams <nico@cryptonector.com>
Date: Tue, 7 Jun 2011 17:57:00 -0500
Message-ID: <BANLkTi==5LjD7vW74tqB_sbSHrLjsJE6+A@mail.gmail.com>
To: "William J. Mills" <wmills@yahoo-inc.com>
Cc: "Paul E. Jones" <paulej@packetizer.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Ben Adida <ben@adida.net>, Adam Barth <adam@adambarth.com>, "http-state@ietf.org" <http-state@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
On Tue, Jun 7, 2011 at 5:43 PM, William J. Mills <wmills@yahoo-inc.com> wrote:
> MAC adds security if the initial secret exchange is secure, and it provides
> a definition for signing payload as part of the request.

Not if the MAC doesn't protect enough of the request _and_ response to
prevent active attacks.  Unless you don't care about those attacks
(which some of you have indicated), in which case why bother with the
MAC at all?

Received on Tuesday, 7 June 2011 22:57:35 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 October 2015 05:36:46 UTC