W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

RE: [http-state] [apps-discuss] HTTP MAC Authentication Scheme

From: Nico Williams <nico@cryptonector.com>
Date: Wed, 8 Jun 2011 09:54:34 -0500
Message-ID: <BANLkTimsKgozsADnA1+yccvKmg1Pa2mPng@mail.gmail.com>
To: "Paul E. Jones" <paulej@packetizer.com>
Cc: apps-discuss@ietf.org, Nico Williams <nico@cryptonector.com>, OAuth WG <oauth@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, Ben Adida <ben@adida.net>, Adam Barth <adam@adambarth.com>, Eran Hammer-Lahav <eran@hueniverse.com>, http-state@ietf.org 
On Jun 8, 2011 2:09 AM, "Paul E. Jones" <paulej@packetizer.com> wrote:
>
> Nico,
>
> Cookies would still be employed.  A cookie would be used to identify the
particular user, for example.  However, it's important to make sure that the
cookie provided by the client to the server is not stolen.  It's important
to ensure that the client provided by the server to the client is not
modified.  That's the reason for the MAC.  Once we can ensure the integrity
of the message exchange, then the existing cookie mechanism can provide us
with the secure state management capability we need.

You're still not addressing the issues raised.

Nico
--
Received on Wednesday, 8 June 2011 14:55:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:41 GMT