> -----Original Message-----
> From: Mark Nottingham [mailto:m...@mnot.net]
> Sent: Wednesday, June 01, 2011 5:16 PM
> To: Eran Hammer-Lahav
> Cc: apps-disc...@ietf.org; Ben Adida; http-st...@ietf.org; OAuth WG;
> 'Adam Barth (a...@adambarth.com)'; HTTP Working Group
> Subject: Re: [apps-discuss] HTTP MAC Authentication Scheme
>
>
> On 02/06/2011, at 1:00 AM, Eran Hammer-Lahav wrote:
>
> > This was suggested before, but are there really attack vectors for this?
>
> If not having a current, working attack to demonstrate is a valid way to shrug
> off a security concern, that's great; it'll be a useful approach to many of
> the
> discussions I have. :)
No, but its valid as long as it is fully documented. We're not going to solve
everything.
> > The problem is that content-type is a pretty flexible header, which means
> normalization of the header will be required (case, parameter order, white
> space, etc.).
>
> The media type is the important part, and it's much more constrained.
So include just the:
type "/" subtype
forced to lowercase?
>
> > I would argue that if you are using MAC with body hash and an attacker
> changing the media type can cause harm, you should use additional methods
> to secure the content-type (such as making the body self-describing).
>
>
> That seems like a step backwards, considering all of the work that Adam has
> put into limiting the use of sniffing.
I wasn't suggesting sniffing.
EHL
> Cheers,
>
> --
> Mark Nottingham http://www.mnot.net/
>
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
