Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme from Nico Williams on 2011-06-08 (ietf-http-wg@w3.org from April to June 2011)

From: Nico Williams <nico@cryptonector.com>
Date: Tue, 7 Jun 2011 22:17:47 -0500
To: "William J. Mills" <wmills@yahoo-inc.com>
Cc: Tim <tim-projects@sentinelchicken.org>, OAuth WG <oauth@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, "http-state@ietf.org" <http-state@ietf.org>
Message-ID: <BANLkTinGkTF35e9RQKjnR8=osZcNw5-8BQ@mail.gmail.com>

On Tue, Jun 7, 2011 at 9:40 PM, William J. Mills <wmills@yahoo-inc.com> wrote:
> It is possible to implement decent security with MAC, it is also possible to

Not as specified.  See earlier posts regarding active attacks.

> screw it up.  It is far more difficult (impossible?) to implement decent
> security with cookies over HTTP.

Assuming well-behaved browsers that understand the distinction between
"secure" and non-secure cookies, and assuming that active attacks are
often no more difficult than passive attacks, what does MAC without
TLS add that cookies don't provide?

Nico
--

Received on Wednesday, 8 June 2011 03:18:10 UTC