Re: [http-state] [apps-discuss] HTTP MAC Authentication Scheme from Nico Williams on 2011-06-07 (ietf-http-wg@w3.org from April to June 2011)

From: Nico Williams <nico@cryptonector.com>
Date: Tue, 7 Jun 2011 17:33:34 -0500
To: Adam Barth <ietf@adambarth.com>
Cc: "Paul E. Jones" <paulej@packetizer.com>, Eran Hammer-Lahav <eran@hueniverse.com>, apps-discuss@ietf.org, Ben Adida <ben@adida.net>, http-state@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
Message-ID: <BANLkTin=cyoFoNnK0c+ss1OHFUjwcvbBsg@mail.gmail.com>

On Tue, Jun 7, 2011 at 4:24 PM, Adam Barth <ietf@adambarth.com> wrote:
> I'm not sure that's appropriate for this mechanism.  What problem does
> channel binding solve?

CB is not appropriate for OAuth today, no, because OAuth doesn't give
you mutual authentication, which means channel binding can't be done
either (well, not with any security guarantees).

You missed my point however: I don't really want to see a specific
purpose MAC here because I do believe it's generalizable, and if we
don't generalize it now we'll just have more special casing in code
later.  For a general MAC I'd want an option for CB (when TLS is used,
of course).

Nico
--

Received on Tuesday, 7 June 2011 22:34:06 UTC