On Fri, Dec 12, 2008 at 11:12 AM, Sam Quigley <[email protected]> wrote: > I'm just sort of curious -- what are the use-cases where body signing > makes sense, but where SSL doesn't? It seems like this is almost > exactly the same as Oauth-over-SSL, where the SSL uses the NULL > encryption algorithm and the SHA1 MAC algorithm..
The OpenSocial folks asked me to write up the body signing proposal for use in their server-to-server APIs. They expose APIs that look like this: POST /social/rpc Authorization: OAuth ... stuff ... Content-Type: application/json <big-json-blob> Without body signing someone who sniffs that request can tamper with the json blob and change the semantics of the RPC to just about anything. The server-to-server APIs are fairly powerful. With body signing the amount of potential mischief is much reduced. Nonce checking would help a bit, but is difficult at scale. https support for these messages would be nice, but is overkill. Most social networks are serving their data in clear text to users. Oddly enough, https with null encryption and sha1 mac wouldn't provide any security at all for this application, since the OAuth client authentication isn't tied to the SSL session. Cheers, Brian --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
