Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme

On Tue, Jun 7, 2011 at 9:40 PM, William J. Mills <wmills@yahoo-inc.com> wrote:
> It is possible to implement decent security with MAC, it is also possible to

Not as specified.  See earlier posts regarding active attacks.

> screw it up.  It is far more difficult (impossible?) to implement decent
> security with cookies over HTTP.

Assuming well-behaved browsers that understand the distinction between
"secure" and non-secure cookies, and assuming that active attacks are
often no more difficult than passive attacks, what does MAC without
TLS add that cookies don't provide?

Nico
--

Received on Wednesday, 8 June 2011 03:18:10 UTC