>> 14. Explicitly state in section 3.3.2 (and 3.3.3) that SHA-1 (and SHA-256) >> are >> used to calculate the body hash when using the hmac-sha-1 (and hmac-sha- >> 256) algorithm.
> Why isn't 3.2 enough? That's where body hash is discussed. 3.2 says the "body hash algorithm is determined by the access token algorithm" so it makes sense to state the former where you define the latter (in 3.3.2 & 3.3.3). If someone ever wants to specify another algorithm the obvious thing to do is start with the text in 3.3.2 "hmac-sha-1" and modify it for the new algorithm -- but that would miss the extra detail that an algorithm spec needs (indicating a body hash alg). Anyway, this is a basically a minor editorial issue. -- James Manger _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
