On Wed, Dec 10, 2008 at 11:30 PM, Krishna Sankar (ksankar) <[EMAIL PROTECTED]> wrote: > Why can't we make it binary - just say header-signature-required > or header-signature-not-required. And if required, sign all the headers > or a set of well specified headers - no messy selection of which one to > sign et al.
Binary signing would be really difficult; the headers that the consumer sees, and those that the service provider sees are potentially very different with the interference of proxies, servers, etc. OTOH, I agree that header signature selection is not at all appetising. b. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
