Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme

This is an interesting discussion, but a bit much to cross-post to four different lists. 

I've set followups to apps-discuss (since it's the most general).

Cheers,


On 08/06/2011, at 1:17 PM, Nico Williams wrote:

> On Tue, Jun 7, 2011 at 9:40 PM, William J. Mills <wmills@yahoo-inc.com> wrote:
>> It is possible to implement decent security with MAC, it is also possible to
> 
> Not as specified.  See earlier posts regarding active attacks.
> 
>> screw it up.  It is far more difficult (impossible?) to implement decent
>> security with cookies over HTTP.
> 
> Assuming well-behaved browsers that understand the distinction between
> "secure" and non-secure cookies, and assuming that active attacks are
> often no more difficult than passive attacks, what does MAC without
> TLS add that cookies don't provide?
> 
> Nico
> --
> _______________________________________________
> apps-discuss mailing list
> apps-discuss@ietf.org
> https://www.ietf.org/mailman/listinfo/apps-discuss

--
Mark Nottingham   http://www.mnot.net/

Received on Wednesday, 8 June 2011 03:26:41 UTC