Indeed, thanks for writing this up, it is good to see that we are moving to a real body signing spec.
I have two questions: 1. Why use sha1 and not hmac-sha1 (or the signing method of the request)? 2. Is it possible to have a way to add signing of the content-type and content-length headers? Maybe add a normalisation method for the header and include the headers in the signature. Or when normalisation is not feasible, add an oauth_body_length and oauth_body_type parameter that the software might use to verify the received content- length and content-type headers. Thanks for starting this effort! - Marc Worrell On 8 dec 2008, at 18:04, Louis Ryan wrote: > Thanks for writing this up. This is clearly a much needed feature > for opensocial and I think containers should adopt this, or whatever > this becomes, once there is reasonable consensus. Do people have > objections to grandfathering this into the spec once that happens? > > On Sun, Dec 7, 2008 at 3:54 PM, Brian Eaton <[EMAIL PROTECTED]> wrote: > Hi folks - > > Existing proposals for signing non-form-encoded request bodies can't > be safely used with OpenSocial. I've written up a draft OAuth > extension that describes why xoauth_body_signature isn't safe and > provides a simple alternative: > > http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.html > > Feedback most welcome. > > Cheers, > Brian > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
