What do you want to know? EHL
> -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Simone Tripodi > Sent: Wednesday, April 29, 2009 11:42 PM > To: [email protected] > Subject: [oauth] Re: Signature Methods extension > > > Hi Eran, > thanks for your reply! > I know now priority is the oauth security, but later I'd like to know > a little more about these signature methods, I hope you can help me. > Thanks in advance! > Simone > > On Wed, Apr 29, 2009 at 11:57 PM, Eran Hammer-Lahav > <[email protected]> wrote: > > When we wrote OAuth, there was some resistance to dropping MD5 and > CRC32. > > That wiki language was the compromise, with the plan to write an > extension > > for those. Since no one asked for it since then, it was never > written. > > > > EHL > > > > > > On 4/29/09 6:18 AM, "Simone Tripodi" <[email protected]> > wrote: > > > > > > > > Ciao Luca :) > > thanks for your reply, since in the wiki page they say > > > > "We agreed to drop MD5, CRC32, and the likes from the spec due to > > security concerns. However, those signing algorithms should still be > > documented and will be supported by vendors so we might as well > > provide a consistent way of using them." > > > > I was looking for some documentation just to have a look at those > methods. > > Thanks!!! > > Simone > > > > On Wed, Apr 29, 2009 at 2:37 PM, Luca Mearelli > <[email protected]> > > wrote: > >> > >> hi, > >> > >> On Wed, Apr 29, 2009 at 11:56 AM, Simone Tripodi > >> <[email protected]> wrote: > >>> I'd like to know more about signature methods extension mentione on > >>> the wiki page: > >>> > >>> http://wiki.oauth.net/SignatureMethods > >> > >> section 9 in the spec. defines the requirement for signatures but > does > >> not mandate a specific signature method it rather describes an > >> algorithm to define the text to be signed (the "signature base > >> string") and "defines three signature methods: HMAC-SHA1, RSA-SHA1, > >> and PLAINTEXT, but Service Providers are free to implement and > >> document their own methods." i.e. Some service provider implementer > >> could choose to build his own signature method (e.g. using different > >> crypto) as long as it properly documents it but I honestly can't > >> remember any SP that has done so... > >> > >> anyhow it seems that the wiki page was calling for documenting in a > >> standard way the specific signature methods developed by the various > >> SPs (i noticed that the wiki page pre-dates the "OAuth Core 1.0" > spec > >> which was published on Dec 4th 2007). > >> > >> ciao, > >> Luca > >> > >> > > >> > > > > > > > > -- > > http://www.google.com/profiles/simone.tripodi > > > > > > > > > > > > > > > > > -- > http://www.google.com/profiles/simone.tripodi > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
