From eran@hueniverse.com Mon May 9 12:22:37 2011 Return-Path: X-Original-To: http-state@ietfa.amsl.com Delivered-To: http-state@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40395E0797 for ; Mon, 9 May 2011 12:22:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.765 X-Spam-Level: X-Spam-Status: No, score=-2.765 tagged_above=-999 required=5 tests=[AWL=-0.167, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tx0yExc-xKNZ for ; Mon, 9 May 2011 12:22:36 -0700 (PDT) Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 24ACFE0792 for ; Mon, 9 May 2011 12:22:35 -0700 (PDT) Received: (qmail 24965 invoked from network); 9 May 2011 19:22:35 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 9 May 2011 19:22:35 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Mon, 9 May 2011 12:22:27 -0700 From: Eran Hammer-Lahav To: "apps-discuss@ietf.org" Date: Mon, 9 May 2011 12:22:23 -0700 Thread-Topic: HTTP MAC Authentication Scheme Thread-Index: AcwOfmxmPIi74XcpSTyynQcwm/I2bw== Message-ID: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723447581DA8EAP3PW5EX1MB01E_" MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 09 May 2011 14:13:44 -0700 Cc: Ben Adida , "http-state@ietf.org" , OAuth WG , "'Adam Barth \(adam@adambarth.com\)'" , HTTP Working Group Subject: [http-state] HTTP MAC Authentication Scheme X-BeenThere: http-state@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Discuss HTTP State Management Mechanism List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2011 19:22:37 -0000 --_000_90C41DD21FB7C64BB94121FBBC2E723447581DA8EAP3PW5EX1MB01E_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable (Please discuss this draft on the Apps-Discuss mail= ing list) http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token The draft includes: * An HTTP authentication scheme using a MAC algorithm to authenticate reque= sts (via a pre-arranged MAC key). * An extension to the Set-Cookie header, providing a method for associating= a MAC key with a session cookie. * An OAuth 2.0 binding, providing a method of returning MAC credentials as = an access token. Some background: OAuth 1.0 introduced an HTTP authentication scheme using H= MAC for authenticating an HTTP request with partial cryptographic protectio= n of the HTTP request (namely, the request URI, host, and port). The OAuth = 1.0 scheme was designed for delegation-based use cases, but is widely "abus= ed" for simple client-server authentication (the poorly named 'two-legged' = use case). This functionality has been separated from OAuth 2.0 and has bee= n reintroduced as a standalone, generally applicable HTTP authentication sc= heme called MAC. Comments and feedback is greatly appreciated. EHL --_000_90C41DD21FB7C64BB94121FBBC2E723447581DA8EAP3PW5EX1MB01E_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

(Please discuss = this draft on the Apps-Discuss <apps-discuss@ietf.org> mailing list)<= o:p>

 

ht= tp://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token

=

 

The draft in= cludes:

 

* An HTTP authentication scheme using a MAC algorithm to authenti= cate requests (via a pre-arranged MAC key).

* An extension to the Set-Cookie header, providing a method for associa= ting a MAC key with a session cookie.

* = An OAuth 2.0 binding, providing a method of returning MAC credentials as an= access token.

 

Some background: OAuth 1.0 introduced an HTTP authenticati= on scheme using HMAC for authenticating an HTTP request with partial crypto= graphic protection of the HTTP request (namely, the request URI, host, and = port). The OAuth 1.0 scheme was designed for delegation-based use cases, bu= t is widely “abused” for simple client-server authentication (t= he poorly named ‘two-legged’ use case). This functionality has = been separated from OAuth 2.0 and has been reintroduced as a standalone, ge= nerally applicable HTTP authentication scheme called MAC.

 

Comments and fe= edback is greatly appreciated.

&nbs= p;

EHL

= --_000_90C41DD21FB7C64BB94121FBBC2E723447581DA8EAP3PW5EX1MB01E_-- From stpeter@stpeter.im Tue May 10 12:42:54 2011 Return-Path: X-Original-To: http-state@ietfa.amsl.com Delivered-To: http-state@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A521AE0704 for ; Tue, 10 May 2011 12:42:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.403 X-Spam-Level: X-Spam-Status: No, score=-102.403 tagged_above=-999 required=5 tests=[AWL=0.196, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WpQe-cI-9jq7 for ; Tue, 10 May 2011 12:42:53 -0700 (PDT) Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 63411E06FF for ; Tue, 10 May 2011 12:42:52 -0700 (PDT) Received: from dhcp-64-101-72-221.cisco.com (dhcp-64-101-72-221.cisco.com [64.101.72.221]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 04071400F6; Tue, 10 May 2011 13:42:50 -0600 (MDT) Message-ID: <4DC99539.6010300@stpeter.im> Date: Tue, 10 May 2011 13:42:49 -0600 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 MIME-Version: 1.0 To: Discuss HTTP State Management Mechanism X-Enigmail-Version: 1.1.1 OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms040902030703080604010007" Subject: [http-state] declaring success X-BeenThere: http-state@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Discuss HTTP State Management Mechanism List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 19:42:54 -0000 This is a cryptographically signed message in MIME format. --------------ms040902030703080604010007 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable The HTTPSTATE WG was formed to generate a spec accurately describing the existing HTTP state management technology ("cookies"). With the publication of RFC 6265, that work is now complete. Therefore, as your responsible Area Director I plan to close the HTTPSTATE WG very soon. I know that some people have expressed interest in working on "next generation" state management mechanisms. I encourage folks to organize such efforts on the http-state@ietf.org list or via whatever means they deem helpful (e.g., side meetings at upcoming IETF meetings). I will ask the Secretariat to keep this list open for continued discussions. Thanks and congratulations to the WG on a job well done! Peter --=20 Peter Saint-Andre https://stpeter.im/ --------------ms040902030703080604010007 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIITzjCC BjQwggQcoAMCAQICASMwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoT DVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp Z25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3 MTAyNDIxMDMzM1oXDTE3MTAyNDIxMDMzM1owgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1T dGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIENs aWVudCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALmjSW4SPiDKlAinvVeL ZOVfItiuP1aRHL530E7QUc9icCwL33+PH+Js1HAh8CgWFl34sOxx1FJyS/C4VLPRsqDfP72j tzCVUAL0DAxZ7wgzQvFz7x61jGxfhYhqYb1+PPOLkYBbkRIrPMg3dLEdKmXIYJYXDH+mB/V/ jLo73/Kb7h/rNoNg/oHHSv5Jolyvp5IY2btfcTBfW/telEFj5rDTX2juTvZ3Qhf3XQX5ca3Q 7A10zrUV/cWJOJ7F5RltbEIaboZmX5JBUb3FhUiAdBotehAX6DbDOuYoJtVxmGof6GuVGcPo 98K4TJf8FHo+UA9EOVDp/W7fCqKT4sXk/XkCAwEAAaOCAa0wggGpMA8GA1UdEwEB/wQFMAMB Af8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7iZySlyShhEcCy3T8LvSs3DLl8zAfBgNV HSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRaMFgwJwYIKwYBBQUH MAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYhaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6Ly93d3cu c3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20v c2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0 dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQELBQADggIBAGpd SbdLFMhirxK37V4gE00+uW74UdAXtDgQI3AsRZWtaRtKHgAxFBSteqz4kDkeAjH/1b+K8tQR 6cxSI2nho7qOaPW/UpzOfSS/MeKK/9vfM2lfs+uItXH7LWtvS9wD1erfH1a+BXHCrCp4LA1l fADDhRIiGTSS3i0Zu5xV3INNRHrCCCl6patltQ8RZTqzDMri7ombgIxjN51Zo7xV77EZcThV 0GA8iIN+7T53uHhUJpjfLIztHs/69OclRvHux9hCflfOm7GY5Sc4nqjfES+5XPArGGWiQSEk ez37QfXqsxO3oCHK4b3DFZysG4uyOuC/WL80ab3muQ3tgwjBhq0D3JZN5kvu5gSuNZPa1WrV hEgXkd6C7s5stqB6/htVpshG08jRz9DEutGM9oKQ1ncTivbfPNx7pILoHWvvT7N5i/puVoNu bPUmLXh/2wA6wzAzuuoONiIL14Xpw6jLSnqpaLWElo2yTIFZ/CU/nCvvpW1Dj1457P3Ci9bD 0RPkWSR+CuucpgxrEmaw4UOLxflzuYYaq1RJwygOO5K0s2bAWOcXpgteyUOnQ3d/EjJAWRri 2v0ubiq+4H3KUOMlbznlPAY/1T8YyyJPM88+Ueahe/AW1zoUwZayNcTnuM7cq6yBV8Wr3GOI LFXhtT0UVuJLChPMJKVKVsa7qNorlLkMMIIGxzCCBa+gAwIBAgICAIswDQYJKoZIhvcNAQEF BQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJT ZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBD bGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0xMDEwMTQwMTM2MzRa Fw0xMjEwMTQxMjAxMDdaMIHAMSAwHgYDVQQNExcyNzQ1ODEtOU5YMDRxeExEYjBvNDY5VDEL MAkGA1UEBhMCVVMxETAPBgNVBAgTCENvbG9yYWRvMQ8wDQYDVQQHEwZEZW52ZXIxLDAqBgNV BAsTI1N0YXJ0Q29tIFRydXN0ZWQgQ2VydGlmaWNhdGUgTWVtYmVyMRowGAYDVQQDExFQZXRl ciBTYWludC1BbmRyZTEhMB8GCSqGSIb3DQEJARYSc3RwZXRlckBzdHBldGVyLmltMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuERvnrkpQTx9wbJfgxbNKEYvt0IilecZRUM6 wrbCzIUPCocuYhaAJcQoqIyHaKybPQ7f+DIGIAolAa3dHnNdlsXP2smTft/ZNpj10PIG5bil NAqLUYwmLJaEaqY7BMW8423U3blW43/luLJk/Pq4OsWcw7AK3LeVh1U/HOgqhin26N3h72X1 nbLEpZFrgcp8egmWtXLCbLBDMqUK3j6wjLldni79muzYEVqU0A5GqSeb8Wc4kIx8VI5yL24J KzinG2iVRP5ZDEbOZETzBXJabUsV56XSxqPG9DK6ke+ybCiL/wKV1HFqdtFB1y25lfvHgOP2 gyEApBKEDNjgLmKyyQIDAQABo4IC+zCCAvcwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYD VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBS2EW2iNB+g0EibKJLBdv8I eLovVDAfBgNVHSMEGDAWgBR7iZySlyShhEcCy3T8LvSs3DLl8zAdBgNVHREEFjAUgRJzdHBl dGVyQHN0cGV0ZXIuaW0wggFCBgNVHSAEggE5MIIBNTCCATEGCysGAQQBgbU3AQICMIIBIDAu BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEF BQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRlLnBkZjCBtwYIKwYB BQUHAgIwgaowFBYNU3RhcnRDb20gTHRkLjADAgEBGoGRTGltaXRlZCBMaWFiaWxpdHksIHNl ZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFydHNz bC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0c3Ns LmNvbS9jcnR1My1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9jcnR1 My1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5z dGFydHNzbC5jb20vc3ViL2NsYXNzMy9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczMuY2xpZW50LmNhLmNydDAjBgNVHRIE HDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBADVtbXJG tKAr55xc/OUM546gXUybI72Bank0w739Mv+9BBNtq9rMEvCnLmSKhBi76c1mdXh6zXs8RQDo 6nR/aPabE3llF2T4z80smi9jfnl3y9dpu9TcgDoqDLZ7a2lBlW656XAAQzHjvLp2MC7/mxlg PYH2axa+q40mAYM20GbNsAEGbWQT1IqIh0BcLLsgbaMJHbyG/57zd9JLyMX3Vry1L1fJRQr3 GeLxMV5RtxN+mBgxrwFz/cOc09COiFExlsHgekpB5O43gqsAU16MXypyoSt4MrSfKTMHIGx6 2RF/M6vqUlvhi28gk2ZUvQ/+OX5+gjcZyooEzAAn4RuOKNswggbHMIIFr6ADAgECAgIAizAN BgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4x KzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMT L1N0YXJ0Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBMB4XDTEw MTAxNDAxMzYzNFoXDTEyMTAxNDEyMDEwN1owgcAxIDAeBgNVBA0TFzI3NDU4MS05TlgwNHF4 TERiMG80NjlUMQswCQYDVQQGEwJVUzERMA8GA1UECBMIQ29sb3JhZG8xDzANBgNVBAcTBkRl bnZlcjEsMCoGA1UECxMjU3RhcnRDb20gVHJ1c3RlZCBDZXJ0aWZpY2F0ZSBNZW1iZXIxGjAY BgNVBAMTEVBldGVyIFNhaW50LUFuZHJlMSEwHwYJKoZIhvcNAQkBFhJzdHBldGVyQHN0cGV0 ZXIuaW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4RG+euSlBPH3Bsl+DFs0o Ri+3QiKV5xlFQzrCtsLMhQ8Khy5iFoAlxCiojIdorJs9Dt/4MgYgCiUBrd0ec12Wxc/ayZN+ 39k2mPXQ8gbluKU0CotRjCYsloRqpjsExbzjbdTduVbjf+W4smT8+rg6xZzDsArct5WHVT8c 6CqGKfbo3eHvZfWdssSlkWuBynx6CZa1csJssEMypQrePrCMuV2eLv2a7NgRWpTQDkapJ5vx ZziQjHxUjnIvbgkrOKcbaJVE/lkMRs5kRPMFclptSxXnpdLGo8b0MrqR77JsKIv/ApXUcWp2 0UHXLbmV+8eA4/aDIQCkEoQM2OAuYrLJAgMBAAGjggL7MIIC9zAJBgNVHRMEAjAAMAsGA1Ud DwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFLYRbaI0 H6DQSJsoksF2/wh4ui9UMB8GA1UdIwQYMBaAFHuJnJKXJKGERwLLdPwu9KzcMuXzMB0GA1Ud EQQWMBSBEnN0cGV0ZXJAc3RwZXRlci5pbTCCAUIGA1UdIASCATkwggE1MIIBMQYLKwYBBAGB tTcBAgIwggEgMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3ku cGRmMDQGCCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlhdGUu cGRmMIG3BggrBgEFBQcCAjCBqjAUFg1TdGFydENvbSBMdGQuMAMCAQEagZFMaW1pdGVkIExp YWJpbGl0eSwgc2VlIHNlY3Rpb24gKkxlZ2FsIExpbWl0YXRpb25zKiBvZiB0aGUgU3RhcnRD b20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUG9saWN5IGF2YWlsYWJsZSBhdCBodHRwOi8v d3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMGMGA1UdHwRcMFowK6ApoCeGJWh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL2NydHUzLWNybC5jcmwwK6ApoCeGJWh0dHA6Ly9jcmwuc3RhcnRz c2wuY29tL2NydHUzLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGBMH8wOQYIKwYBBQUHMAGGLWh0 dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MzL2NsaWVudC9jYTBCBggrBgEFBQcw AoY2aHR0cDovL3d3dy5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMy5jbGllbnQuY2Eu Y3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzANBgkqhkiG9w0BAQUF AAOCAQEANW1tcka0oCvnnFz85QznjqBdTJsjvYFqeTTDvf0y/70EE22r2swS8KcuZIqEGLvp zWZ1eHrNezxFAOjqdH9o9psTeWUXZPjPzSyaL2N+eXfL12m71NyAOioMtntraUGVbrnpcABD MeO8unYwLv+bGWA9gfZrFr6rjSYBgzbQZs2wAQZtZBPUioiHQFwsuyBtowkdvIb/nvN30kvI xfdWvLUvV8lFCvcZ4vExXlG3E36YGDGvAXP9w5zT0I6IUTGWweB6SkHk7jeCqwBTXoxfKnKh K3gytJ8pMwcgbHrZEX8zq+pSW+GLbyCTZlS9D/45fn6CNxnKigTMACfhG44o2zGCA80wggPJ AgEBMIGTMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UE CxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRD b20gQ2xhc3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgCLMAkGBSsOAwIa BQCgggIOMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDUx MDE5NDI0OVowIwYJKoZIhvcNAQkEMRYEFDXxnQiacEv54ZXmmiwvzj5L4OKUMF8GCSqGSIb3 DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggq hkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBpAYJKwYBBAGCNxAEMYGWMIGT MIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2Vj dXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xh c3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAgCLMIGmBgsqhkiG9w0BCRAC CzGBlqCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNV BAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0 Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50IENBAgIAizANBgkqhkiG 9w0BAQEFAASCAQBUHosk24R8+HVzpv1ZKKpGnjpPJMh47yKPERcgpOsQ/MGFdW6D9O7AuPKR vjbxSU9ul/Y5nn14QzzeheWyab0z3ubx76XiVlBV6KxBIkKuqphVE4YUBJE50U17CB+8vlzc 2lpLuk48xXIoeNkw+Te2EvVQrKpkMDGj8PCWdgJrFKR09tbV0FWMtJyI4uACr14uJOoPv8uF N0tsWMI2hJitN3ceuUDQgZbcLosedJF4B/x1NLcnKGzbUdcRS/GrIdsQtbP7ZQCl2nAaIkDA GZkgUUFufK7XGTyQX1OZebfBN5riON4pcYG2tTV7LWKgEM7ZAf0iL7apR74UrPM3Ns9vAAAA AAAA --------------ms040902030703080604010007-- From Jeff.Hodges@KingsMountain.com Tue May 10 13:04:10 2011 Return-Path: X-Original-To: http-state@ietfa.amsl.com Delivered-To: http-state@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 952A9E0805 for ; Tue, 10 May 2011 13:04:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.511 X-Spam-Level: X-Spam-Status: No, score=-100.511 tagged_above=-999 required=5 tests=[AWL=-0.846, BAYES_50=0.001, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id URPvwtLylGL7 for ; Tue, 10 May 2011 13:04:09 -0700 (PDT) Received: from oproxy7-pub.bluehost.com (oproxy7-pub.bluehost.com [67.222.55.9]) by ietfa.amsl.com (Postfix) with SMTP id 68C3FE074F for ; Tue, 10 May 2011 13:04:09 -0700 (PDT) Received: (qmail 22317 invoked by uid 0); 10 May 2011 20:04:08 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy7.bluehost.com with SMTP; 10 May 2011 20:04:08 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=zYNRwLgb7ajm5vN+RmxlnQvAu3RltFj9MUQthnBx9x5NfELZ+iiE/0Ovql5rnanYHNrYzoTjOM2+sviyBZ/73LwDXctal8aJ5gJJ7JubDlomsyg5UoD1VJmi9ZnIZrcK; Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.136.83]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1QJtA7-0007dh-P2; Tue, 10 May 2011 14:04:07 -0600 Message-ID: <4DC99A36.9040808@KingsMountain.com> Date: Tue, 10 May 2011 13:04:06 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10 MIME-Version: 1.0 To: Peter Saint-Andre Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com} Cc: IETF HTTP State WG emeritus Subject: Re: [http-state] declaring success X-BeenThere: http-state@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Discuss HTTP State Management Mechanism List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2011 20:04:10 -0000 > The HTTPSTATE WG was formed to generate a spec accurately describing the > existing HTTP state management technology ("cookies"). With the > publication of RFC 6265, that work is now complete. Therefore, as your > responsible Area Director I plan to close the HTTPSTATE WG very soon. Thanks Peter ... and thanks to you for all your help with this WG's work. Thanks again to all participants/contributors. I'm honored to have been a part of this effort and work with you all. =JeffH From wwwrun@ietfa.amsl.com Wed May 18 15:06:54 2011 Return-Path: X-Original-To: http-state@ietf.org Delivered-To: http-state@ietfa.amsl.com Received: by ietfa.amsl.com (Postfix, from userid 30) id A1CF4E07D8; Wed, 18 May 2011 15:06:54 -0700 (PDT) From: IESG Secretary To: IETF Announcement list Content-Type: text/plain; charset="utf-8" Mime-Version: 1.0 Message-Id: <20110518220654.A1CF4E07D8@ietfa.amsl.com> Date: Wed, 18 May 2011 15:06:54 -0700 (PDT) Cc: http-state@ietf.org Subject: [http-state] WG Action: Conclusion of HTTP State Management Mechanism (httpstate) X-BeenThere: http-state@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Discuss HTTP State Management Mechanism List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2011 22:06:54 -0000 The HTTP State Management Mechanism (httpstate) working group in the Applications Area has concluded. The IESG contact person is Peter Saint-Andre. The mailing list will remain active. The HTTPSTATE working group was chartered to produce an accurate and complete specification of the HTTP state management mechanism (commonly known as "cookies"). With the publication of RFC 6265, the group has achieved its primary goal. Thanks to Bil Corry for instigating this work, Adam Barth for taking on the role of document editor, and Jeff Hodges for chairing the effort. To ensure complete documentation of the working group's decisions, the mailing list archive will be retained. In addition, the list will remain open for further discussion regarding HTTP state management technologies. - Peter Saint-Andre, Responsible Area Director From nico@cryptonector.com Fri May 20 13:24:48 2011 Return-Path: X-Original-To: http-state@ietfa.amsl.com Delivered-To: http-state@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C105AE0758; Fri, 20 May 2011 13:24:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.29 X-Spam-Level: X-Spam-Status: No, score=-2.29 tagged_above=-999 required=5 tests=[AWL=-0.313, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G2xdwSpYUxo9; Fri, 20 May 2011 13:24:47 -0700 (PDT) Received: from homiemail-a33.g.dreamhost.com (caiajhbdcbbj.dreamhost.com [208.97.132.119]) by ietfa.amsl.com (Postfix) with ESMTP id E0E80E0710; Fri, 20 May 2011 13:24:47 -0700 (PDT) Received: from homiemail-a33.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTP id 55579594062; Fri, 20 May 2011 13:24:43 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns; s=cryptonector.com; b=FQiafcjE6EoaINb7Dsj8n v+KqFhBY8X72n8fK2nfhbGqzZGubVW1S3UwIZZoH36V1/vH1BHIHQj3eeWC1Nup0 Jlg30DU1ZSXffceNHXdIVBzJbcI+hcIiD1/A8g1i+uJtvTP9OiAgl145JFvK2xTb xnB8Bj0XrApwp0kqDTQ0zE= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=ddX2s1YSRTkvGEZDzUsZ YMot7Bc=; b=SrpcK3ylsHGwZk+G8TER0bxRPcYZHJB1ORjYiXDCitosE5zCyQx1 9pa8dEOI75yusp6GxBt21VKCkLCA9VBSvFwxzzzlfFx0+xKjOcehgm/Oe8tbk8XP l79IIqsjEhCVY8UelMDIgJT6hdLrzhOJi61zqxWtyL9iN6HzvhMODGc= Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTPSA id 04575594058; Fri, 20 May 2011 13:24:42 -0700 (PDT) Received: by vws12 with SMTP id 12so3526669vws.31 for ; Fri, 20 May 2011 13:24:42 -0700 (PDT) MIME-Version: 1.0 Received: by 10.52.177.106 with SMTP id cp10mr56945vdc.199.1305923082438; Fri, 20 May 2011 13:24:42 -0700 (PDT) Received: by 10.52.110.228 with HTTP; Fri, 20 May 2011 13:24:42 -0700 (PDT) In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> Date: Fri, 20 May 2011 15:24:42 -0500 Message-ID: From: Nico Williams To: Eran Hammer-Lahav Content-Type: text/plain; charset=UTF-8 X-Mailman-Approved-At: Fri, 20 May 2011 13:50:27 -0700 Cc: "apps-discuss@ietf.org" , Ben Adida , "Adam Barth \(adam@adambarth.com\)" , "http-state@ietf.org" , HTTP Working Group , OAuth WG Subject: Re: [http-state] [apps-discuss] HTTP MAC Authentication Scheme X-BeenThere: http-state@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Discuss HTTP State Management Mechanism List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2011 20:24:48 -0000 Additional comments: - Using nonces for replay protection is heavy-duty. It is difficult to implement a reliable, secure, high-performance replay cache. (It is easy to implement just a high-performance replay cache: use memcache.) I recommend an option to use sequence numbers at the server's choice, understanding, of course, that requests will not be received in sequence. The use of a sliding sequence number window makes it possible to do at least as well as when using nonce, and probably faster while still being secure. - In an open wifi environment active attacks may not be very difficult, thus an option to secure more than just a handful of bits from the request, would be nice (all of the request and all of the response, say). The hard part is how to decide when to use one or the other. Ideally browsers can request more protection when the network is reconfigured such that there's one or more clear wifi interfaces. Nico -- From eran@hueniverse.com Fri May 20 14:18:40 2011 Return-Path: X-Original-To: http-state@ietfa.amsl.com Delivered-To: http-state@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2F4FE07D5 for ; Fri, 20 May 2011 14:18:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wu4aVC4sRnlL for ; Fri, 20 May 2011 14:18:39 -0700 (PDT) Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id C0668E0759 for ; Fri, 20 May 2011 14:18:39 -0700 (PDT) Received: (qmail 23941 invoked from network); 20 May 2011 21:18:38 -0000 Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 20 May 2011 21:18:38 -0000 Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Fri, 20 May 2011 14:18:29 -0700 From: Eran Hammer-Lahav To: Nico Williams Date: Fri, 20 May 2011 14:18:21 -0700 Thread-Topic: [apps-discuss] HTTP MAC Authentication Scheme Thread-Index: AcwXK/Tq8zux+2NhRMyGj/1LRzJuvgABvy4g Message-ID: <90C41DD21FB7C64BB94121FBBC2E723447582E46A9@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: "apps-discuss@ietf.org" , Ben Adida , "Adam Barth \(adam@adambarth.com\)" , "http-state@ietf.org" , HTTP Working Group , OAuth WG Subject: Re: [http-state] [apps-discuss] HTTP MAC Authentication Scheme X-BeenThere: http-state@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Discuss HTTP State Management Mechanism List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2011 21:18:40 -0000 DQoNCj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCj4gRnJvbTogTmljbyBXaWxsaWFtcyBb bWFpbHRvOm5pY29AY3J5cHRvbmVjdG9yLmNvbV0NCj4gU2VudDogRnJpZGF5LCBNYXkgMjAsIDIw MTEgMToyNSBQTQ0KPiBUbzogRXJhbiBIYW1tZXItTGFoYXYNCj4gQ2M6IGFwcHMtZGlzY3Vzc0Bp ZXRmLm9yZzsgQmVuIEFkaWRhOyBodHRwLXN0YXRlQGlldGYub3JnOyBPQXV0aCBXRzsgQWRhbQ0K PiBCYXJ0aCAoYWRhbUBhZGFtYmFydGguY29tKTsgSFRUUCBXb3JraW5nIEdyb3VwDQo+IFN1Ympl Y3Q6IFJlOiBbYXBwcy1kaXNjdXNzXSBIVFRQIE1BQyBBdXRoZW50aWNhdGlvbiBTY2hlbWUNCj4g DQo+IEFkZGl0aW9uYWwgY29tbWVudHM6DQo+IA0KPiAgLSBVc2luZyBub25jZXMgZm9yIHJlcGxh eSBwcm90ZWN0aW9uIGlzIGhlYXZ5LWR1dHkuICBJdCBpcyBkaWZmaWN1bHQgdG8NCj4gaW1wbGVt ZW50IGEgcmVsaWFibGUsIHNlY3VyZSwgaGlnaC1wZXJmb3JtYW5jZSByZXBsYXkgY2FjaGUuICAo SXQgaXMgZWFzeSB0bw0KPiBpbXBsZW1lbnQganVzdCBhIGhpZ2gtcGVyZm9ybWFuY2UgcmVwbGF5 IGNhY2hlOiB1c2UNCj4gbWVtY2FjaGUuKQ0KPiANCj4gICAgSSByZWNvbW1lbmQgYW4gb3B0aW9u IHRvIHVzZSBzZXF1ZW5jZSBudW1iZXJzIGF0IHRoZSBzZXJ2ZXIncyBjaG9pY2UsDQo+IHVuZGVy c3RhbmRpbmcsIG9mIGNvdXJzZSwgdGhhdCByZXF1ZXN0cyB3aWxsIG5vdCBiZSByZWNlaXZlZCBp biBzZXF1ZW5jZS4NCj4gVGhlIHVzZSBvZiBhIHNsaWRpbmcgc2VxdWVuY2UgbnVtYmVyIHdpbmRv dyBtYWtlcyBpdCBwb3NzaWJsZSB0byBkbyBhdA0KPiBsZWFzdCBhcyB3ZWxsIGFzIHdoZW4gdXNp bmcgbm9uY2UsIGFuZCBwcm9iYWJseSBmYXN0ZXIgd2hpbGUgc3RpbGwgYmVpbmcNCj4gc2VjdXJl Lg0KDQpXZSBzd2l0Y2hlZCB0byB1c2UgdGltZSBzaW5jZSBjcmVkZW50aWFscyB3ZXJlIGlzc3Vl ZC4gVGhpcyBzaG91bGQgYmUgcHJldHR5IGVhc3kgdG8gaW1wbGVtZW50IGlmIHlvdSByZWFsbHkg bmVlZCByZXBseSBwcm90ZWN0aW9uIGJ5IHVzaW5nIGEgc21hbGwgd2luZG93IChjbG9jayBzeW5j IGlzIG5vIGxvbmdlciBhIHByb2JsZW0sIGp1c3QgdGhlIGRlbGF5IGluIGdldHRpbmcgdGhlIGNy ZWRlbnRpYWxzIHRvIHRoZSBjbGllbnQsIHdoaWNoIHNob3VsZCBiZSBhIHNtYWxsIHdpbmRvdyku DQoNCj4gIC0gSW4gYW4gb3BlbiB3aWZpIGVudmlyb25tZW50IGFjdGl2ZSBhdHRhY2tzIG1heSBu b3QgYmUgdmVyeSBkaWZmaWN1bHQsIHRodXMNCj4gYW4gb3B0aW9uIHRvIHNlY3VyZSBtb3JlIHRo YW4ganVzdCBhIGhhbmRmdWwgb2YgYml0cyBmcm9tIHRoZSByZXF1ZXN0LCB3b3VsZA0KPiBiZSBu aWNlIChhbGwgb2YgdGhlIHJlcXVlc3QgYW5kIGFsbCBvZiB0aGUgcmVzcG9uc2UsIHNheSkuICBU aGUgaGFyZCBwYXJ0IGlzIGhvdw0KPiB0byBkZWNpZGUgd2hlbiB0byB1c2Ugb25lIG9yIHRoZSBv dGhlci4gIElkZWFsbHkgYnJvd3NlcnMgY2FuIHJlcXVlc3QgbW9yZQ0KPiBwcm90ZWN0aW9uIHdo ZW4gdGhlIG5ldHdvcmsgaXMgcmVjb25maWd1cmVkIHN1Y2ggdGhhdCB0aGVyZSdzIG9uZSBvciBt b3JlDQo+IGNsZWFyIHdpZmkgaW50ZXJmYWNlcy4NCg0KVGhlcmUgaXMganVzdCBubyBlYXN5IHdh eSB0byBkbyB0aGF0LiBJZiB5b3UgbmVlZCBtb3JlLCB1c2UgVExTLg0KDQpFSEwNCg0K From nico@cryptonector.com Fri May 20 14:31:55 2011 Return-Path: X-Original-To: http-state@ietfa.amsl.com Delivered-To: http-state@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19F52E06CD; Fri, 20 May 2011 14:31:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.284 X-Spam-Level: X-Spam-Status: No, score=-2.284 tagged_above=-999 required=5 tests=[AWL=-0.307, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dxbVXMBeC4C3; Fri, 20 May 2011 14:31:54 -0700 (PDT) Received: from homiemail-a35.g.dreamhost.com (caiajhbdcahe.dreamhost.com [208.97.132.74]) by ietfa.amsl.com (Postfix) with ESMTP id 54A13E06AD; Fri, 20 May 2011 14:31:54 -0700 (PDT) Received: from homiemail-a35.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTP id ABE045406F; Fri, 20 May 2011 14:31:53 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=HbUh7udovQq+tRDqIt4xyHJwdFdJnh0hgbSUdAYXG933 +pvqZetq4T0/VBbFCbfcOPtedQem4ONpMc7iDRtrl38CSouoMAVQlBQMlHVw/2fA Al71SJDj6efTHVNQg6CFGf+E7wHK6KqYvWqXd2TrCKDd27tu+3fW+yGMtGx+guo= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=wRXDvM0zQrr3JzT7Xuq7tUvW91Q=; b=F/55JvrnwNI 4xHL4O+WKGEwjX8NcGgriBYxgAcbReEAG/x63bbH7Q/YYnbSJNF46i/C1H3zpyM+ Dt0yhCEeKIZKmtoXifnfvxO3de1uDy3ITTp+Xe6EtYENcqq9wiwUq1uAIiZZZnVE ZyOWMqjCeeFeeSWnGJXaMMLEKRHSsCF4= Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTPSA id 4EDC054057; Fri, 20 May 2011 14:31:53 -0700 (PDT) Received: by vxg33 with SMTP id 33so3540948vxg.31 for ; Fri, 20 May 2011 14:31:52 -0700 (PDT) MIME-Version: 1.0 Received: by 10.52.177.196 with SMTP id cs4mr117174vdc.279.1305927112714; Fri, 20 May 2011 14:31:52 -0700 (PDT) Received: by 10.52.110.228 with HTTP; Fri, 20 May 2011 14:31:52 -0700 (PDT) In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723447582E46A9@P3PW5EX1MB01.EX1.SECURESERVER.NET> References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E723447582E46A9@P3PW5EX1MB01.EX1.SECURESERVER.NET> Date: Fri, 20 May 2011 16:31:52 -0500 Message-ID: From: Nico Williams To: Eran Hammer-Lahav Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: "apps-discuss@ietf.org" , Ben Adida , "Adam Barth \(adam@adambarth.com\)" , "http-state@ietf.org" , HTTP Working Group , OAuth WG Subject: Re: [http-state] [apps-discuss] HTTP MAC Authentication Scheme X-BeenThere: http-state@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Discuss HTTP State Management Mechanism List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2011 21:31:55 -0000 On Fri, May 20, 2011 at 4:18 PM, Eran Hammer-Lahav wr= ote: >> Additional comments: >> >> =C2=A0- Using nonces for replay protection is heavy-duty. =C2=A0It is di= fficult to >> implement a reliable, secure, high-performance replay cache. =C2=A0(It i= s easy to >> implement just a high-performance replay cache: use >> memcache.) >> >> =C2=A0 =C2=A0I recommend an option to use sequence numbers at the server= 's choice, >> understanding, of course, that requests will not be received in sequence= . >> The use of a sliding sequence number window makes it possible to do at >> least as well as when using nonce, and probably faster while still being >> secure. > > We switched to use time since credentials were issued. This should be pre= tty easy to implement if you really need reply protection by using a small = window (clock sync is no longer a problem, just the delay in getting the cr= edentials to the client, which should be a small window). Kerberos has had an option to use time or sequence numbers for a long time. We've learned a few things from this experience. For a memcache-type implementation, timestamps are probably best because maintaining a sequence number window in memcache, synchronized, would be a pain, if not impossible. Other replay cache implementations would likely do better using sequence numbers, especially when they have a small sequence number window per-session. And, of course, memcache isn't going to be durable (but probably it will be good enough in many cases). If you set a skew window to be tight on the future side, then you can compensate for this if you can detect loss of replay data (hmmm, not likely with memcache, eh?). One big gotcha to be aware of: - Some clocks have lousy resolution, leading to easily repeated values in high-rate environments. One fix is to add resolution on the wire and use random numbers for the unused precision bits. Another solution is to not use time. My advice is that you allow the server to select which of timestamps or sequence numbers to use. Also, I strongly recommend that you specify replay cache semantics in some detail. Think of the Kerberos V5 replay cache semantics. >> =C2=A0- In an open wifi environment active attacks may not be very diffi= cult, thus >> an option to secure more than just a handful of bits from the request, w= ould >> be nice (all of the request and all of the response, say). =C2=A0The har= d part is how >> to decide when to use one or the other. =C2=A0Ideally browsers can reque= st more >> protection when the network is reconfigured such that there's one or mor= e >> clear wifi interfaces. > > There is just no easy way to do that. If you need more, use TLS. But even then you need to know when to use TLS. TLS doesn't solve the problem when you're trying to solve problems without introducing TLS in the first place. This is a serious problem. You think you're fixing one problem (cookie theft by passive attackers on open networks) and you're very likely only making things somewhat harder for the attacker -- we need to be very careful that the attacker can't just automate active attacks and still win. Nico -- From mnot@mnot.net Tue May 31 16:57:30 2011 Return-Path: X-Original-To: http-state@ietfa.amsl.com Delivered-To: http-state@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC96CE06E6; Tue, 31 May 2011 16:57:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.283 X-Spam-Level: X-Spam-Status: No, score=-105.283 tagged_above=-999 required=5 tests=[AWL=-2.684, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wZ7Ti+QZDZ6F; Tue, 31 May 2011 16:57:29 -0700 (PDT) Received: from mxout-08.mxes.net (mxout-08.mxes.net [216.86.168.183]) by ietfa.amsl.com (Postfix) with ESMTP id B361CE06A0; Tue, 31 May 2011 16:57:29 -0700 (PDT) Received: from chancetrain-lm.mnot.net (unknown [118.209.19.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 6CD2D509DB; Tue, 31 May 2011 19:57:22 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=windows-1252 From: Mark Nottingham In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> Date: Wed, 1 Jun 2011 09:57:19 +1000 Content-Transfer-Encoding: quoted-printable Message-Id: References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> To: Eran Hammer-Lahav X-Mailer: Apple Mail (2.1084) Cc: "apps-discuss@ietf.org" , Ben Adida , "'Adam Barth \(adam@adambarth.com\)'" , "http-state@ietf.org" , HTTP Working Group , OAuth WG Subject: Re: [http-state] [apps-discuss] HTTP MAC Authentication Scheme X-BeenThere: http-state@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Discuss HTTP State Management Mechanism List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2011 23:57:30 -0000 Hi, Reading draft -05. The "normalized request string" contains the request-URI and values = extracted from the Host header. Be aware that intermediaries can and do = change these; e.g., they may change an absolute URI to a relative URI in = the request-line, without affecting the semantics of the request. See = [1] for details (it covers other problematic conditions too). It would be more robust to calculate an effective request URI, as in = [2]. Also, if you include a hash of the request body, you really need to = include a hash of the body media type. Generally, I think that people can and will want to include other = headers; just because *some* developers can't get this right doesn't = mean we should preclude *all* developers from doing it. It'd be really = nice to see this either leverage DOSETA [3][4], or at least offer a = clean transition path to it. Regards, 1. = http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-14#section-4.1.= 2 2. = http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-14#section-4.3 3. http://tools.ietf.org/html/draft-crocker-dkim-doseta-00 4. http://tools.ietf.org/html/draft-crocker-doseta-base-02 On 10/05/2011, at 5:22 AM, Eran Hammer-Lahav wrote: > (Please discuss this draft on the Apps-Discuss = mailing list) > =20 > http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token > =20 > The draft includes: > =20 > * An HTTP authentication scheme using a MAC algorithm to authenticate = requests (via a pre-arranged MAC key). > * An extension to the Set-Cookie header, providing a method for = associating a MAC key with a session cookie. > * An OAuth 2.0 binding, providing a method of returning MAC = credentials as an access token. > =20 > Some background: OAuth 1.0 introduced an HTTP authentication scheme = using HMAC for authenticating an HTTP request with partial cryptographic = protection of the HTTP request (namely, the request URI, host, and = port). The OAuth 1.0 scheme was designed for delegation-based use cases, = but is widely =93abused=94 for simple client-server authentication (the = poorly named =91two-legged=92 use case). This functionality has been = separated from OAuth 2.0 and has been reintroduced as a standalone, = generally applicable HTTP authentication scheme called MAC. > =20 > Comments and feedback is greatly appreciated. > =20 > EHL > _______________________________________________ > apps-discuss mailing list > apps-discuss@ietf.org > https://www.ietf.org/mailman/listinfo/apps-discuss -- Mark Nottingham http://www.mnot.net/