Currently I'm using HMAC-SHA1 over HTTP and have been considering adding in SSL to my app, but am slightly confused as to what is more appropriate. Obviously I'll be losing a *lot* of speed with SSL, and from reading the specification I'm unclear whether it's actually necessary. For example:
http://oauth.net/core/1.0a/#rfc.section.A.1 Seems to state that when using HTTPS I must use PLAINTEXT for my signatures - can someone help me understand whether one is more secure than the other, and if possible a recommendation of what to go for. I take a lot of cues from Twitter (who are using HMAC-SHA1 and HTTP) cause I'd like to imagine their herds of boffins have thought of most scenarios... What do you think? -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
