Alternatively, many people implementing webhooks (PSHB being one example) use an HTTP header for signing. So far everybody does it differently. I like Magic Signatures, I also like the loosely inspired JWT, but I feel like something that lives in the headers is the Right Way to do this.
There is a very rough draft for something that could solve this problem: http://tools.ietf.org/html/draft-burke-content-signature-00 I've been recommending it to people looking at signing their webhook payloads. It's not exactly usable yet, but I think it's a good thing to think about. Perhaps we can borrow semantics from Magic Signature and put them into Content Signature? -jeff On Sun, Nov 20, 2011 at 1:56 PM, Bob Wyman <[email protected]> wrote: > Julien suggests that a new mechanism is required to provide secure > notification when sending arbitrary content. > One useful and simple approach to this problem is provided by the "Magic > Signature"<http://salmon-protocol.googlecode.com/svn/trunk/draft-panzer-magicsig-01.html>method > of the Salmon > Protocol <http://www.salmon-protocol.org/>. > If one assumes that the primary concerns for security involve ensuring > that data tampering and authorship can be detected, the Magic Signature > approach should do the job well. It would not, however, be suitable if the > intent is to publish "secret" data. > > See: > http://salmon-protocol.googlecode.com/svn/trunk/draft-panzer-magicsig-01.html > > bob wyman > > -- Jeff Lindsay http://progrium.com
