I dreaded that this might be the case. Then I agree it is necessary to
normalize the payload, unless signing the entity only is sufficient.
Igor
Paul C. Bryan wrote:
On Tue, 2010-02-09 at 15:40 -0500, Igor Faynberg wrote:
But what would be a problem with just running a hash function over the
payload as is? Seems to me that this way the recipient could check the
validity of the signature for this particular payload, right? Or is
there some strange case where the payload gets modified in transit
legitimately?
The payload would be: method, URI, protocol, headers and entity.
Intermediaries (e.g. proxies) are known for (legitimately) modifying
various parts of payload in transit, for example
adding/removing/reordering headers.
Paul
Igor
Paul C. Bryan wrote:
On Tue, 2010-02-09 at 13:58 -0500, Igor Faynberg wrote:
Paul C. Bryan wrote:
...
1. Payload would need to be embedded in the data element of the
signature, so we'd be duplicating payload to support digital signatures.
Would not just hash of the payload be enough?
I guess as long as there were rules on how to normalize the payload
before hashing it.
Paul
Igor
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
