On Tue, Dec 9, 2008 at 5:52 PM, Krishna Sankar (ksankar) <[EMAIL PROTECTED]> wrote: > Have been watching this discussion. Something is puzzling me - the spec > [1] talks about integrity of the body nothing else. The only thing it > says is that the body has not been altered since it left the consumer. > As the header also has relevance to the body, we should guarantee the > integrity of the headers as well, which means sign the header too. > > Looking from another perspective, whatever threat model requires a > signature of the body also requires signature of the headers as well. > > Possible I am missing something obvious.
No, you're not. In theory protecting the headers is vitally important for security. In practice it doesn't seem to matter. No one has been able to point to a single real web application whose security would be negatively impacted by a bad guy who tampers with content headers but not the body. Several people, OTOH, have suggested reasons why trying to sign headers will be complicated. If it doesn't give security, but it does make things complicated, I don't think we should do it. Anybody have a real web app that relies on the integrity of content headers for security? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
