Greetings, I had some discussions with security experts inside my company (Sun) about OAuth's signature methods and a couple issues were raised.
The first one was about the decision to only define SHA1 and HMAC1 when they've been reckoned as "weak" and NIST itself recommends switching to SHA2 digests? I've read the archives (not all I'll admit) and only found comments on the lack of support for SHA256 which seems unfounded at this point. The second issue was to not mandate at least 1 signature method. This could lead to bad situations like having 2 conforming implementations not being able to interoperate. Are those points part of topics to be resolved during the IETF process? Cheers, Hubert PS: I've blogged there (http://bug4free.wordpress.com/2008/11/28/ digital-signature-in-oauth/) about this and would like to write follow-ups on this topic based on your responses. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
