Hi John,
following your arguments, I could add "integrity protection of complete
HTTP requests in an interoperable way" the the "pro HTTPS" section?
regards,
Torsten.
Am 16.03.2010 07:22, schrieb John Panzer:
I'm confused by one "pro" for signatures:
"Protect integrity of whole request - authorization data and payload
when communicating over unsecure channel"
I do not believe there is an existing concrete proposal that will
protect the whole request, unless you add additional restrictions on
the request types -- e.g., only HTTP GET or POST with form-encoded
data variables only.
If the assertion is that signatures will actually provide integrity
for arbitrary HTTP request bodies as well as the URL, authority, and
HTTP method: I would like to see at least one concrete proposal that
will accomplish this. IIRC there's only one that I think is possibly
implementable in an interoperable way, and it supports only JSON
payloads. In other words, anyone using body signing would need to
wrap their data in JSON to do it. (This is not necessarily the worst
thing in the world, of course, but it is something to be taken into
account when listing pros and cons.)
On Mon, Mar 15, 2010 at 3:50 PM, Torsten Lodderstedt
<tors...@lodderstedt.net <mailto:tors...@lodderstedt.net>> wrote:
Hi all,
I composed a detailed summary at
http://trac.tools.ietf.org/wg/oauth/trac/wiki/SignaturesWhy.
Please review it.
@Zachary: I also added some of your recent notes.
regards,
Torsten.
I volunteer to write it up.
<hat type='chair'/>
On 3/4/10 1:00 PM, Blaine Cook wrote:
One of the things that's been a primary focus of both today's WG call
and last week's call is what are the specific use cases for
signatures?
- Why are signatures needed?
- What do signatures need to protect?
Let's try to outline the use cases! Please reply here, so that we have
a good idea of what they are as we move towards the Anaheim WG.
This was a valuable thread. Perhaps someone could write up a summary of
the points raised, either on the list or at the wiki?
Peter
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
