Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme

On Tue, Jun 7, 2011 at 5:43 PM, William J. Mills <> wrote:
> MAC adds security if the initial secret exchange is secure, and it provides
> a definition for signing payload as part of the request.

Not if the MAC doesn't protect enough of the request _and_ response to
prevent active attacks.  Unless you don't care about those attacks
(which some of you have indicated), in which case why bother with the
MAC at all?


Received on Tuesday, 7 June 2011 22:57:35 UTC