> -----Original Message----- > From: Nico Williams [mailto:n...@cryptonector.com] > Sent: Friday, May 20, 2011 1:25 PM > To: Eran Hammer-Lahav > Cc: apps-disc...@ietf.org; Ben Adida; http-st...@ietf.org; OAuth WG; Adam > Barth (a...@adambarth.com); HTTP Working Group > Subject: Re: [apps-discuss] HTTP MAC Authentication Scheme > > Additional comments: > > - Using nonces for replay protection is heavy-duty. It is difficult to > implement a reliable, secure, high-performance replay cache. (It is easy to > implement just a high-performance replay cache: use > memcache.) > > I recommend an option to use sequence numbers at the server's choice, > understanding, of course, that requests will not be received in sequence. > The use of a sliding sequence number window makes it possible to do at > least as well as when using nonce, and probably faster while still being > secure.
We switched to use time since credentials were issued. This should be pretty easy to implement if you really need reply protection by using a small window (clock sync is no longer a problem, just the delay in getting the credentials to the client, which should be a small window). > - In an open wifi environment active attacks may not be very difficult, thus > an option to secure more than just a handful of bits from the request, would > be nice (all of the request and all of the response, say). The hard part is > how > to decide when to use one or the other. Ideally browsers can request more > protection when the network is reconfigured such that there's one or more > clear wifi interfaces. There is just no easy way to do that. If you need more, use TLS. EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
