Hey Brian, I'm just sort of curious -- what are the use-cases where body signing makes sense, but where SSL doesn't? It seems like this is almost exactly the same as Oauth-over-SSL, where the SSL uses the NULL encryption algorithm and the SHA1 MAC algorithm..
Am I missing something? -sq On Dec 11, 2008, at 5:40 PM, Brian Eaton wrote: > > On Thu, Dec 11, 2008 at 5:35 PM, Krishna Sankar (ksankar) > <[email protected]> wrote: >> a) Header signing? Yes/No. I assume Yes - from your last >> e-mail. If not we should continue that thread . >> b) Assuming yes for #1 above, SP selects headers to sign. >> Yes/No. I assume No and that the spec specifies a (fixed) list of >> headers to sign. > > Yes to number one, but I'm not writing up the proposal. None of the > use cases I'm interested in will see a security benefit, though I can > certainly imagine other applications for whom header integrity is > valuable. > > The answer to #2 should depend on use cases for #1. > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
