What about http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/1/spec.html ?
That's in use and has been implemented in shindig for quite some time. That draft adds protection of the body -- I don't know of any draft that covers signing the headers... On Mon, Mar 15, 2010 at 11:22 PM, John Panzer <[email protected]> wrote: > I'm confused by one "pro" for signatures: > > "Protect integrity of whole request - authorization data and payload when > communicating over unsecure channel" > > I do not believe there is an existing concrete proposal that will protect > the whole request, unless you add additional restrictions on the request > types -- e.g., only HTTP GET or POST with form-encoded data variables only. > > If the assertion is that signatures will actually provide integrity for > arbitrary HTTP request bodies as well as the URL, authority, and HTTP > method: I would like to see at least one concrete proposal that will > accomplish this. IIRC there's only one that I think is possibly > implementable in an interoperable way, and it supports only JSON payloads. > In other words, anyone using body signing would need to wrap their data in > JSON to do it. (This is not necessarily the worst thing in the world, of > course, but it is something to be taken into account when listing pros and > cons.) > > On Mon, Mar 15, 2010 at 3:50 PM, Torsten Lodderstedt < > [email protected]> wrote: > >> Hi all, >> >> I composed a detailed summary at >> http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy. Please >> review it. >> >> @Zachary: I also added some of your recent notes. >> >> regards, >> Torsten. >> >> I volunteer to write it up. >> >> <hat type='chair'/> >> >> On 3/4/10 1:00 PM, Blaine Cook wrote: >> >> >> One of the things that's been a primary focus of both today's WG call >> and last week's call is what are the specific use cases for >> signatures? >> >> - Why are signatures needed? >> - What do signatures need to protect? >> >> Let's try to outline the use cases! Please reply here, so that we have >> a good idea of what they are as we move towards the Anaheim WG. >> >> >> This was a valuable thread. Perhaps someone could write up a summary of >> the points raised, either on the list or at the wiki? >> >> Peter >> >> >> >> >> _______________________________________________ >> OAuth mailing [email protected]https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing [email protected]https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
