Oooops, I meant "Hubs should NOT care/store the verify_token..." . Sorry about that!
And again, it's purpose is certainly not to authenticate anything... as that wouldn't be secure. The only way authenticate the hub from the subscriber perspective is to use https when talking with the hub. Thanks On Mon, Feb 20, 2012 at 4:17 PM, Andy Dennie <[email protected]>wrote: > Actually, I don't think hubs should store the verify_token beyond the > subscription verification request -- as I understand things, it's only > purpose is to "authenticate" the hub sending the verification request, and > is of no further use after that (the hub.secret value serves that purpose > for content distribution requests). In fact, in my code, I purge the > verify_token value after validating it in my processing of the subscription > verification request, so that it can't be used again by an imposter hub > that has sniffed its value. > > But then again, I'm kind of new to this stuff, so I could be interpreting > things incorrectly. > > Please see my related comment in the "removal of verify_token" topic. > -Andy >
