> -----Original Message----- > From: Mark Nottingham [mailto:m...@mnot.net] > Sent: Wednesday, June 01, 2011 5:16 PM > To: Eran Hammer-Lahav > Cc: apps-disc...@ietf.org; Ben Adida; http-st...@ietf.org; OAuth WG; > 'Adam Barth (a...@adambarth.com)'; HTTP Working Group > Subject: Re: [apps-discuss] HTTP MAC Authentication Scheme > > > On 02/06/2011, at 1:00 AM, Eran Hammer-Lahav wrote: > > > This was suggested before, but are there really attack vectors for this? > > If not having a current, working attack to demonstrate is a valid way to shrug > off a security concern, that's great; it'll be a useful approach to many of > the > discussions I have. :)
No, but its valid as long as it is fully documented. We're not going to solve everything. > > The problem is that content-type is a pretty flexible header, which means > normalization of the header will be required (case, parameter order, white > space, etc.). > > The media type is the important part, and it's much more constrained. So include just the: type "/" subtype forced to lowercase? > > > I would argue that if you are using MAC with body hash and an attacker > changing the media type can cause harm, you should use additional methods > to secure the content-type (such as making the body self-describing). > > > That seems like a step backwards, considering all of the work that Adam has > put into limiting the use of sniffing. I wasn't suggesting sniffing. EHL > Cheers, > > -- > Mark Nottingham http://www.mnot.net/ > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth