Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme from Nico Williams on 2011-06-07 (ietf-http-wg@w3.org from April to June 2011)

From: Nico Williams <nico@cryptonector.com>
Date: Tue, 7 Jun 2011 17:57:00 -0500
To: "William J. Mills" <wmills@yahoo-inc.com>
Cc: "Paul E. Jones" <paulej@packetizer.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Ben Adida <ben@adida.net>, Adam Barth <adam@adambarth.com>, "http-state@ietf.org" <http-state@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
Message-ID: <BANLkTi==5LjD7vW74tqB_sbSHrLjsJE6+A@mail.gmail.com>

On Tue, Jun 7, 2011 at 5:43 PM, William J. Mills <wmills@yahoo-inc.com> wrote:
> MAC adds security if the initial secret exchange is secure, and it provides
> a definition for signing payload as part of the request.

Not if the MAC doesn't protect enough of the request _and_ response to
prevent active attacks.  Unless you don't care about those attacks
(which some of you have indicated), in which case why bother with the
MAC at all?

Nico
--

Received on Tuesday, 7 June 2011 22:57:35 UTC