Well... they don't. We didn't spec them out. But if you want to follow the HMAC-SHA1 method, just replace SHA1 with MD5 and call your new method HMAC-MD5. If you don't have HMAC available, you could use just MD5 but I'm not sure how secure that would be (I don't know your actual use case).
The key is that whatever you do, you should both share with your developers (they will need it) and here for feedback. EHL > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Simone Tripodi > Sent: Thursday, April 30, 2009 2:52 AM > To: [email protected] > Subject: [oauth] Re: Signature Methods extension > > > Hi Eran!!! > thanks for your availability! simply, how do they work? Should > MD5/CRC32 be applied like HMAC (more or less) or something different? > Thanks in advance, best regards!!! > Simone > > Once obtained the consumer secret, token secret (if present) and the > base string, how to proceed? Just simply applying MD5 > > On Thu, Apr 30, 2009 at 9:54 AM, Eran Hammer-Lahav > <[email protected]> wrote: > > What do you want to know? > > > > EHL > > > >> -----Original Message----- > >> From: [email protected] [mailto:[email protected]] On > Behalf > >> Of Simone Tripodi > >> Sent: Wednesday, April 29, 2009 11:42 PM > >> To: [email protected] > >> Subject: [oauth] Re: Signature Methods extension > >> > >> > >> Hi Eran, > >> thanks for your reply! > >> I know now priority is the oauth security, but later I'd like to > know > >> a little more about these signature methods, I hope you can help me. > >> Thanks in advance! > >> Simone > >> > >> On Wed, Apr 29, 2009 at 11:57 PM, Eran Hammer-Lahav > >> <[email protected]> wrote: > >> > When we wrote OAuth, there was some resistance to dropping MD5 and > >> CRC32. > >> > That wiki language was the compromise, with the plan to write an > >> extension > >> > for those. Since no one asked for it since then, it was never > >> written. > >> > > >> > EHL > >> > > >> > > >> > On 4/29/09 6:18 AM, "Simone Tripodi" <[email protected]> > >> wrote: > >> > > >> > > >> > > >> > Ciao Luca :) > >> > thanks for your reply, since in the wiki page they say > >> > > >> > "We agreed to drop MD5, CRC32, and the likes from the spec due to > >> > security concerns. However, those signing algorithms should still > be > >> > documented and will be supported by vendors so we might as well > >> > provide a consistent way of using them." > >> > > >> > I was looking for some documentation just to have a look at those > >> methods. > >> > Thanks!!! > >> > Simone > >> > > >> > On Wed, Apr 29, 2009 at 2:37 PM, Luca Mearelli > >> <[email protected]> > >> > wrote: > >> >> > >> >> hi, > >> >> > >> >> On Wed, Apr 29, 2009 at 11:56 AM, Simone Tripodi > >> >> <[email protected]> wrote: > >> >>> I'd like to know more about signature methods extension mentione > on > >> >>> the wiki page: > >> >>> > >> >>> http://wiki.oauth.net/SignatureMethods > >> >> > >> >> section 9 in the spec. defines the requirement for signatures but > >> does > >> >> not mandate a specific signature method it rather describes an > >> >> algorithm to define the text to be signed (the "signature base > >> >> string") and "defines three signature methods: HMAC-SHA1, RSA- > SHA1, > >> >> and PLAINTEXT, but Service Providers are free to implement and > >> >> document their own methods." i.e. Some service provider > implementer > >> >> could choose to build his own signature method (e.g. using > different > >> >> crypto) as long as it properly documents it but I honestly can't > >> >> remember any SP that has done so... > >> >> > >> >> anyhow it seems that the wiki page was calling for documenting in > a > >> >> standard way the specific signature methods developed by the > various > >> >> SPs (i noticed that the wiki page pre-dates the "OAuth Core 1.0" > >> spec > >> >> which was published on Dec 4th 2007). > >> >> > >> >> ciao, > >> >> Luca > >> >> > >> >> > > >> >> > >> > > >> > > >> > > >> > -- > >> > http://www.google.com/profiles/simone.tripodi > >> > > >> > > >> > > >> > > >> > > > >> > > >> > >> > >> > >> -- > >> http://www.google.com/profiles/simone.tripodi > >> > >> > > > > > > > > > > > -- > http://www.google.com/profiles/simone.tripodi > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
