W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

RE: [http-state] [apps-discuss] HTTP MAC Authentication Scheme

From: Paul E. Jones <paulej@packetizer.com>
Date: Thu, 9 Jun 2011 01:03:35 -0400
To: "'Nico Williams'" <nico@cryptonector.com>
Cc: <apps-discuss@ietf.org>, "'OAuth WG'" <oauth@ietf.org>, "'HTTP Working Group'" <ietf-http-wg@w3.org>, "'Ben Adida'" <ben@adida.net>, "'Adam Barth'" <adam@adambarth.com>, "'Eran Hammer-Lahav'" <eran@hueniverse.com>, <http-state@ietf.org>
Message-ID: <02c401cc2662$9a21d220$ce657660$@packetizer.com>
What issues, specifically.  (Messages are all over the place and I don’t know exactly what issues you’re raising.  Is it with the approach we’re proposing or something else?)

 

Paul

 

From: Nico Williams [mailto:nico@cryptonector.com] 
Sent: Wednesday, June 08, 2011 10:55 AM
To: Paul E. Jones
Cc: apps-discuss@ietf.org; Nico Williams; OAuth WG; HTTP Working Group; Ben Adida; Adam Barth; Eran Hammer-Lahav; http-state@ietf.org
Subject: RE: [http-state] [apps-discuss] HTTP MAC Authentication Scheme

 


On Jun 8, 2011 2:09 AM, "Paul E. Jones" <paulej@packetizer.com> wrote:
>
> Nico,
>
> Cookies would still be employed.  A cookie would be used to identify the particular user, for example.  However, it's important to make sure that the cookie provided by the client to the server is not stolen.  It's important to ensure that the client provided by the server to the client is not modified.  That's the reason for the MAC.  Once we can ensure the integrity of the message exchange, then the existing cookie mechanism can provide us with the secure state management capability we need.

You're still not addressing the issues raised.

Nico
-- 
Received on Thursday, 9 June 2011 05:04:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:41 GMT