Re: [http-state] [apps-discuss] HTTP MAC Authentication Scheme

On Tue, Jun 7, 2011 at 1:30 PM, Adam Barth <> wrote:
> On Tue, Jun 7, 2011 at 10:35 AM, Nico Williams <> wrote:
>> I'm completely on-board with session state[*].  My comments were
>> particularly in regards to threat models.  I believe that
>> eavesdroppers and active attackers both need to be considered,
>> particularly as we have so many open wifi networks.
> Sorry.  We can't address active attackers using this mechanism.  If
> you need protection from active attackers, please use TLS.

I've already said as much now several times.  However, I want channel
binding to TLS too.

>> To me the simplest way to address the Internet threat model is to
>> always use TLS (except, maybe, for images and such elements that have
>> little or no security value, though one must be careful when making
>> that determination) and to use channel binding.  See the I-D
>> referenced below.
> Indeed.  This mechanism is for folks who cannot or will not deploy TLS.

It has value outside TLS as well.  Particularly if you're using an
authentication mechanism that can provide mutual authentication (which
OAuth doesn't do today, but I hear there's work in progress to add
mutual auth to it).  And then you realize that you might want to do
something similar with other non-OAuth authentication methods, thus
the urge to generalize.


Received on Tuesday, 7 June 2011 21:18:05 UTC