Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme

On Tue, Jun 7, 2011 at 1:41 PM, Igor Faynberg
<igor.faynberg@alcatel-lucent.com> wrote:
> Adam Barth wrote:
>> Sorry.  We can't address active attackers using this mechanism.  If
>> you need protection from active attackers, please use TLS.
>
> Actually, IPsec will work here (with WiFi networks) just as well.  It is

Not really.  See RFCs 5660, 5386, and 5387.  If only RFC5660 were
widely implemented... but it's not.

> also true that we COULD develop both the authentication and confidentiality
> mechanisms that would offer protection from both active and passive
> attackers; it is just that we CHOSE (in opinion, correctly) not to do that
> because other Internet protocols already do that.

And rightly so.  As we've learned from SASL, having an option for
security layers (the "SL" in SASL) at multiple network layers only
adds unnecessary complications.

Nico
--

Received on Tuesday, 7 June 2011 21:21:17 UTC