- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 8 Jun 2011 13:26:05 +1000
- To: Nico Williams <nico@cryptonector.com>, "William J. Mills" <wmills@yahoo-inc.com>, Tim <tim-projects@sentinelchicken.org>
- Cc: http-state@ietf.org, OAuth WG <oauth@ietf.org>, "apps-discuss@ietf.org Discuss" <apps-discuss@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
This is an interesting discussion, but a bit much to cross-post to four different lists. I've set followups to apps-discuss (since it's the most general). Cheers, On 08/06/2011, at 1:17 PM, Nico Williams wrote: > On Tue, Jun 7, 2011 at 9:40 PM, William J. Mills <wmills@yahoo-inc.com> wrote: >> It is possible to implement decent security with MAC, it is also possible to > > Not as specified. See earlier posts regarding active attacks. > >> screw it up. It is far more difficult (impossible?) to implement decent >> security with cookies over HTTP. > > Assuming well-behaved browsers that understand the distinction between > "secure" and non-secure cookies, and assuming that active attacks are > often no more difficult than passive attacks, what does MAC without > TLS add that cookies don't provide? > > Nico > -- > _______________________________________________ > apps-discuss mailing list > apps-discuss@ietf.org > https://www.ietf.org/mailman/listinfo/apps-discuss -- Mark Nottingham http://www.mnot.net/
Received on Wednesday, 8 June 2011 03:26:41 UTC