W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 8 Jun 2011 13:26:05 +1000
Cc: http-state@ietf.org, OAuth WG <oauth@ietf.org>, "apps-discuss@ietf.org Discuss" <apps-discuss@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <3D7340ED-C6F5-464D-BD14-1A606B7D8228@mnot.net>
To: Nico Williams <nico@cryptonector.com>, "William J. Mills" <wmills@yahoo-inc.com>, Tim <tim-projects@sentinelchicken.org>
This is an interesting discussion, but a bit much to cross-post to four different lists. 

I've set followups to apps-discuss (since it's the most general).

Cheers,


On 08/06/2011, at 1:17 PM, Nico Williams wrote:

> On Tue, Jun 7, 2011 at 9:40 PM, William J. Mills <wmills@yahoo-inc.com> wrote:
>> It is possible to implement decent security with MAC, it is also possible to
> 
> Not as specified.  See earlier posts regarding active attacks.
> 
>> screw it up.  It is far more difficult (impossible?) to implement decent
>> security with cookies over HTTP.
> 
> Assuming well-behaved browsers that understand the distinction between
> "secure" and non-secure cookies, and assuming that active attacks are
> often no more difficult than passive attacks, what does MAC without
> TLS add that cookies don't provide?
> 
> Nico
> --
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss

--
Mark Nottingham   http://www.mnot.net/
Received on Wednesday, 8 June 2011 03:26:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:41 GMT