Thanks Thorsten, this is good. The "Pro Signature" section seemed a little thin to me (pro HTTPS too, though most security pros are included obliquely in the "Powerful" bullet). I changed the "Pro Signature" section to:
* Low latency and computational costs (HMAC) * Provides for authentication of request by proving possession of a secret that is bound to an account (in OAuth 1.0a) * Can provide message integrity (in OAuth 1.0a for single-part form-encoded requests, for query strings, and for request bodies under the body-signing extension) * Can provide replay protection via signed nonces (in OAuth 1.0a) * Can provide expiration via signed timestamps (in OAuth 1.0a) Ethan On Mon, Mar 15, 2010 at 6:50 PM, Torsten Lodderstedt <[email protected]> wrote: > Hi all, > > I composed a detailed summary at > http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy. Please review > it. > > @Zachary: I also added some of your recent notes. > > regards, > Torsten. > > I volunteer to write it up. > > <hat type='chair'/> > > On 3/4/10 1:00 PM, Blaine Cook wrote: > > > One of the things that's been a primary focus of both today's WG call > and last week's call is what are the specific use cases for > signatures? > > - Why are signatures needed? > - What do signatures need to protect? > > Let's try to outline the use cases! Please reply here, so that we have > a good idea of what they are as we move towards the Anaheim WG. > > > This was a valuable thread. Perhaps someone could write up a summary of > the points raised, either on the list or at the wiki? > > Peter > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
