Re: [apps-discuss] HTTP MAC Authentication Scheme

On 03/06/2011, at 1:44 AM, Eran Hammer-Lahav wrote:

> 
> 
>> -----Original Message-----
>> From: Mark Nottingham [mailto:mnot@mnot.net]
>> Sent: Wednesday, June 01, 2011 5:16 PM
>> To: Eran Hammer-Lahav
>> Cc: apps-discuss@ietf.org; Ben Adida; http-state@ietf.org; OAuth WG;
>> 'Adam Barth (adam@adambarth.com)'; HTTP Working Group
>> Subject: Re: [apps-discuss] HTTP MAC Authentication Scheme
>> 
>> 
>> On 02/06/2011, at 1:00 AM, Eran Hammer-Lahav wrote:
>> 
>>> This was suggested before, but are there really attack vectors for this?
>> 
>> If not having a current, working attack to demonstrate is a valid way to shrug
>> off a security concern, that's great; it'll be a useful approach to many of the
>> discussions I have. :)
> 
> No, but its valid as long as it is fully documented. We're not going to solve everything.
> 
>>> The problem is that content-type is a pretty flexible header, which means
>> normalization of the header will be required (case, parameter order, white
>> space, etc.).
>> 
>> The media type is the important part, and it's much more constrained.
> 
> So include just the:
> 
> 	type "/" subtype
> 
> forced to lowercase?


Think so.


> 
>> 
>>> I would argue that if you are using MAC with body hash and an attacker
>> changing the media type can cause harm, you should use additional methods
>> to secure the content-type (such as making the body self-describing).
>> 
>> 
>> That seems like a step backwards, considering all of the work that Adam has
>> put into limiting the use of sniffing.
> 
> I wasn't suggesting sniffing.
> 
> EHL
> 
>> Cheers,
>> 
>> --
>> Mark Nottingham   http://www.mnot.net/
>> 
>> 
> 

--
Mark Nottingham   http://www.mnot.net/

Received on Thursday, 2 June 2011 23:22:11 UTC