On Tue, 2010-02-09 at 15:40 -0500, Igor Faynberg wrote: > But what would be a problem with just running a hash function over the > payload as is? Seems to me that this way the recipient could check the > validity of the signature for this particular payload, right? Or is > there some strange case where the payload gets modified in transit > legitimately?
The payload would be: method, URI, protocol, headers and entity. Intermediaries (e.g. proxies) are known for (legitimately) modifying various parts of payload in transit, for example adding/removing/reordering headers. Paul > > Igor > > Paul C. Bryan wrote: > > On Tue, 2010-02-09 at 13:58 -0500, Igor Faynberg wrote: > > > >> Paul C. Bryan wrote: > >> > >>> ... > >>> > >>>> 1. Payload would need to be embedded in the data element of the > >>>> signature, so we'd be duplicating payload to support digital signatures. > >>>> > >>>> > >>>> > >> Would not just hash of the payload be enough? > >> > > > > I guess as long as there were rules on how to normalize the payload > > before hashing it. > > > > Paul > > > > > >> Igor > >> > > > > > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
