On body-hash... Having completed a trial implementation, it seems redundant, and potentially problematic, to include the body-hash in the Authentication header. The danger is that implementors may neglect to recalculate the hash themselves, reusing the value (even if incorrect) provided by the client. Why not just require the provider to calculate this and validate it by comparing the final signature? This way it's clearer for everyone what the expectations are in validating the signature.
I propose either a flag (eg, usebodyhash="1") or an algorithm (bodyhashalgorithm="sha1"). If this parameter was provided, the correct hash would be added to the base string for signing. If omitted (or set false?) then an empty string is used for base string element #4. On including parameters for signing... I'd retract my suggestion that we'd include parameter-hash in the header. Instead, I would suggest making parameters optional in calculating the signature using a flag as with bodyhash. Providers could require including parameters if so desired. Parameters could be included as currently defined, or with a hash method similar to entity-body (which I find both simpler and more congruent). Again, the goal in making query parameters optional is to allow providers to make signature calculation as simple as possible for clients (so much as it is in line with the security requirements of the provider) and avoid complexities in implementation such as those that tripped up OAuth 1. On Jan 22, 2011, at 2:09 AM, Eran Hammer-Lahav wrote: > http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02 > > New version includes the following changes: > > o Added body-hash support. > o Updated OAuth 2.0 reference to -12 and added token type registration > template. > o Removed error and error URI attributes (codes were just a duplication > of the HTTP status codes). > > Feedback would be greatly appreciated. > > EHL > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
