Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme from Nico Williams on 2011-06-07 (ietf-http-wg@w3.org from April to June 2011)

From: Nico Williams <nico@cryptonector.com>
Date: Tue, 7 Jun 2011 16:20:51 -0500
To: igor.faynberg@alcatel-lucent.com
Cc: Adam Barth <ietf@adambarth.com>, apps-discuss@ietf.org, Ben Adida <ben@adida.net>, http-state@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
Message-ID: <BANLkTikDj_0mg4Ov-3u5JeK7hFLY1WYg9Q@mail.gmail.com>

On Tue, Jun 7, 2011 at 1:41 PM, Igor Faynberg
<igor.faynberg@alcatel-lucent.com> wrote:
> Adam Barth wrote:
>> Sorry.  We can't address active attackers using this mechanism.  If
>> you need protection from active attackers, please use TLS.
>
> Actually, IPsec will work here (with WiFi networks) just as well.  It is

Not really.  See RFCs 5660, 5386, and 5387.  If only RFC5660 were
widely implemented... but it's not.

> also true that we COULD develop both the authentication and confidentiality
> mechanisms that would offer protection from both active and passive
> attackers; it is just that we CHOSE (in opinion, correctly) not to do that
> because other Internet protocols already do that.

And rightly so.  As we've learned from SASL, having an option for
security layers (the "SL" in SASL) at multiple network layers only
adds unnecessary complications.

Nico
--

Received on Tuesday, 7 June 2011 21:21:17 UTC