The hubbub spec, in section 7.4, says: http://pubsubhubbub.googlecode.com/svn/trunk/pubsubhubbub-core-0.2.html#authednotify
"The signature MUST be computed by appending the hub.secret value to the request body and then generating the combined string's HMAC using the SHA1 algorithm." However, HMAC has a specific definition, in RFC2104, which allows for composing HMACs from secure hash algorithms. It's constructed specifically to make it more difficult to forge or brute-force an HMAC, a property the description in the hubbub spec lacks. Why does the hubbub spec use this ad-hoc construction instead of a proper HMAC? -- Nick Johnson, Developer Programs Engineer, App Engine Google Ireland Ltd. :: Registered in Dublin, Ireland, Registration Number: 368047
