Hi Eran, thanks for your reply! I know now priority is the oauth security, but later I'd like to know a little more about these signature methods, I hope you can help me. Thanks in advance! Simone
On Wed, Apr 29, 2009 at 11:57 PM, Eran Hammer-Lahav <[email protected]> wrote: > When we wrote OAuth, there was some resistance to dropping MD5 and CRC32. > That wiki language was the compromise, with the plan to write an extension > for those. Since no one asked for it since then, it was never written. > > EHL > > > On 4/29/09 6:18 AM, "Simone Tripodi" <[email protected]> wrote: > > > > Ciao Luca :) > thanks for your reply, since in the wiki page they say > > "We agreed to drop MD5, CRC32, and the likes from the spec due to > security concerns. However, those signing algorithms should still be > documented and will be supported by vendors so we might as well > provide a consistent way of using them." > > I was looking for some documentation just to have a look at those methods. > Thanks!!! > Simone > > On Wed, Apr 29, 2009 at 2:37 PM, Luca Mearelli <[email protected]> > wrote: >> >> hi, >> >> On Wed, Apr 29, 2009 at 11:56 AM, Simone Tripodi >> <[email protected]> wrote: >>> I'd like to know more about signature methods extension mentione on >>> the wiki page: >>> >>> http://wiki.oauth.net/SignatureMethods >> >> section 9 in the spec. defines the requirement for signatures but does >> not mandate a specific signature method it rather describes an >> algorithm to define the text to be signed (the "signature base >> string") and "defines three signature methods: HMAC-SHA1, RSA-SHA1, >> and PLAINTEXT, but Service Providers are free to implement and >> document their own methods." i.e. Some service provider implementer >> could choose to build his own signature method (e.g. using different >> crypto) as long as it properly documents it but I honestly can't >> remember any SP that has done so... >> >> anyhow it seems that the wiki page was calling for documenting in a >> standard way the specific signature methods developed by the various >> SPs (i noticed that the wiki page pre-dates the "OAuth Core 1.0" spec >> which was published on Dec 4th 2007). >> >> ciao, >> Luca >> >> > >> > > > > -- > http://www.google.com/profiles/simone.tripodi > > > > > > > -- http://www.google.com/profiles/simone.tripodi --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
