On 12/22/2004 10:12 PM, Eran Tromer wrote:
> On 12/22/2004 07:47 PM, Florian Weimer wrote:
>> The HMAC input should also cover a time-dependent value sent along in the
>> clear (which is later used to check the token for freshness). A form
>> identifier could also be helpful.
>
> [snip]
> The timestamp and (in some cases) the form identifier needed to be sent
> as extra parameters, which can get rather ugly when using GET requests.

On second thought, what you need is not a form (source) identifier, but
rather an action (target) identifier. The action is necessarily
deducible from the rest of HTTP request, so there's no good reason not
to add it to the hash. Ideally, one would hash in all parts of the
target URL and all POST parameters that are known at the time the source
page is sent (except the token itself).

Eran

[ reply ]

On 12/22/2004 10:12 PM, Eran Tromer wrote:<br/>
> On 12/22/2004 07:47 PM, Florian Weimer wrote:<br/>
>> The HMAC input should also cover a time-dependent value sent along in the<br/>
>> clear (which is later used to check the token for freshness). A form<br/>
>> identifier could also be helpful.<br/>
> <br/>
> [snip]<br/>
> The timestamp and (in some cases) the form identifier needed to be sent<br/>
> as extra parameters, which can get rather ugly when using GET requests.<br/>
<br/>
On second thought, what you need is not a form (source) identifier, but <br/>
rather an action (target) identifier. The action is necessarily <br/>
deducible from the rest of HTTP request, so there's no good reason not <br/>
to add it to the hash. Ideally, one would hash in all parts of the <br/>
target URL and all POST parameters that are known at the time the source <br/>
page is sent (except the token itself).<br/>
<br/>
Eran

[ reply ]

On 12/22/2004 10:12 PM, Eran Tromer wrote:<br/><br/>
> On 12/22/2004 07:47 PM, Florian Weimer wrote:<br/><br/>
>> The HMAC input should also cover a time-dependent value sent along in the<br/><br/>
>> clear (which is later used to check the token for freshness). A form<br/><br/>
>> identifier could also be helpful.<br/><br/>
> <br/><br/>
> [snip]<br/><br/>
> The timestamp and (in some cases) the form identifier needed to be sent<br/><br/>
> as extra parameters, which can get rather ugly when using GET requests.<br/><br/>
<br/><br/>
On second thought, what you need is not a form (source) identifier, but <br/><br/>
rather an action (target) identifier. The action is necessarily <br/><br/>
deducible from the rest of HTTP request, so there's no good reason not <br/><br/>
to add it to the hash. Ideally, one would hash in all parts of the <br/><br/>
target URL and all POST parameters that are known at the time the source <br/><br/>
page is sent (except the token itself).<br/><br/>
<br/><br/>
Eran

[ reply ]

On 12/22/2004 10:12 PM, Eran Tromer wrote:<br/><br/><br/>
> On 12/22/2004 07:47 PM, Florian Weimer wrote:<br/><br/><br/>
>> The HMAC input should also cover a time-dependent value sent along in the<br/><br/><br/>
>> clear (which is later used to check the token for freshness). A form<br/><br/><br/>
>> identifier could also be helpful.<br/><br/><br/>
> <br/><br/><br/>
> [snip]<br/><br/><br/>
> The timestamp and (in some cases) the form identifier needed to be sent<br/><br/><br/>
> as extra parameters, which can get rather ugly when using GET requests.<br/><br/><br/>
<br/><br/><br/>
On second thought, what you need is not a form (source) identifier, but <br/><br/><br/>
rather an action (target) identifier. The action is necessarily <br/><br/><br/>
deducible from the rest of HTTP request, so there's no good reason not <br/><br/><br/>
to add it to the hash. Ideally, one would hash in all parts of the <br/><br/><br/>
target URL and all POST parameters that are known at the time the source <br/><br/><br/>
page is sent (except the token itself).<br/><br/><br/>
<br/><br/><br/>
Eran

[ reply ]