On 03/06/2011, at 1:44 AM, Eran Hammer-Lahav wrote: > > >> -----Original Message----- >> From: Mark Nottingham [mailto:[email protected]] >> Sent: Wednesday, June 01, 2011 5:16 PM >> To: Eran Hammer-Lahav >> Cc: [email protected]; Ben Adida; [email protected]; OAuth WG; >> 'Adam Barth ([email protected])'; HTTP Working Group >> Subject: Re: [apps-discuss] HTTP MAC Authentication Scheme >> >> >> On 02/06/2011, at 1:00 AM, Eran Hammer-Lahav wrote: >> >>> This was suggested before, but are there really attack vectors for this? >> >> If not having a current, working attack to demonstrate is a valid way to >> shrug >> off a security concern, that's great; it'll be a useful approach to many of >> the >> discussions I have. :) > > No, but its valid as long as it is fully documented. We're not going to solve > everything. > >>> The problem is that content-type is a pretty flexible header, which means >> normalization of the header will be required (case, parameter order, white >> space, etc.). >> >> The media type is the important part, and it's much more constrained. > > So include just the: > > type "/" subtype > > forced to lowercase?
Think so. > >> >>> I would argue that if you are using MAC with body hash and an attacker >> changing the media type can cause harm, you should use additional methods >> to secure the content-type (such as making the body self-describing). >> >> >> That seems like a step backwards, considering all of the work that Adam has >> put into limiting the use of sniffing. > > I wasn't suggesting sniffing. > > EHL > >> Cheers, >> >> -- >> Mark Nottingham http://www.mnot.net/ >> >> > -- Mark Nottingham http://www.mnot.net/ _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
