This is an interesting discussion, but a bit much to cross-post to four different lists.
I've set followups to apps-discuss (since it's the most general). Cheers, On 08/06/2011, at 1:17 PM, Nico Williams wrote: > On Tue, Jun 7, 2011 at 9:40 PM, William J. Mills <wmi...@yahoo-inc.com> wrote: >> It is possible to implement decent security with MAC, it is also possible to > > Not as specified. See earlier posts regarding active attacks. > >> screw it up. It is far more difficult (impossible?) to implement decent >> security with cookies over HTTP. > > Assuming well-behaved browsers that understand the distinction between > "secure" and non-secure cookies, and assuming that active attacks are > often no more difficult than passive attacks, what does MAC without > TLS add that cookies don't provide? > > Nico > -- > _______________________________________________ > apps-discuss mailing list > apps-disc...@ietf.org > https://www.ietf.org/mailman/listinfo/apps-discuss -- Mark Nottingham http://www.mnot.net/ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
