On Thu, Dec 11, 2008 at 5:35 PM, Krishna Sankar (ksankar) <[email protected]> wrote: > a) Header signing? Yes/No. I assume Yes - from your last > e-mail. If not we should continue that thread . > b) Assuming yes for #1 above, SP selects headers to sign. > Yes/No. I assume No and that the spec specifies a (fixed) list of > headers to sign.
Yes to number one, but I'm not writing up the proposal. None of the use cases I'm interested in will see a security benefit, though I can certainly imagine other applications for whom header integrity is valuable. The answer to #2 should depend on use cases for #1. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
