Fyi Phil
Begin forwarded message: > From: Blair Strang <[email protected]> > Date: May 8, 2014 at 18:47:58 PDT > Resent-To: [email protected], [email protected], [email protected], > [email protected] > To: [email protected] > Subject: HTTP protocol version in MAC signatures > > Hi, > > [Not sure if this is the right address to submit this feedback to] > > Looking over http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05 > section 5.2. "MAC Input String", it seems that the HTTP request line is used > verbatim during the construction of MAC tokens. > > Since this includes the transport (HTTP/1.1 versus say HTTP/1.0) it seems > that HTTP proxies which run different protocol versions on each leg will > break signatures. > > I would recommend removing the HTTP version from the MAC. The transport is > inherently a "per hop" type of thing, while request signatures are > conceptually "end to end". > > I am not aware of any specific security benefits derived from including the > HTTP protocol version in the MAC input string. This may be why AWS version 2 > and AWS version 4 signatures do not include it. > > Thanks and regards, > > Blair. >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
