On 2010-07-10, at 1:21 PM, David Recordon wrote: > On Sat, Jul 10, 2010 at 11:00 AM, Dick Hardt <dick.ha...@gmail.com> wrote: > On 2010-07-10, at 9:58 AM, Paul Tarjan wrote: >> Hi OAuthers, >> >> First of all, I think I should introduce myself. I work at Facebook on the >> Platform team (anything not facebook.com). Before this I was at Yahoo! doing >> SearchMonkey (semantic web stuff). I've written a few OAuth applications and >> libraries, both at Yahoo and in my spare time. >> >> For Facebook apps we're going to use your signature scheme with the >> following changes: > > I would hope you would think it is "our" signature scheme rather than "your" > signature scheme > > I think Paul was referring to the proposal Dirk put forward since there isn't > anything which has become part of OAuth yet. ;)
The email was addressed to "OAuthers" -- I would hope that Paul would soon consider himself one of those! > >> * the signature comes before the payload >> * we used the key 'algorithm' instead of 'alg' and 'expires' instead of >> 'not_before' > > Good points to add to the discussion. Perhaps you would articulate why you > made those choices? > > I think Naitik talked about the signature coming before the payload in this > thread. Through implementations we've found that lsplit is easier in some > languages. I think having an envelope as the first blob enables a parser to know what to do with the rest of the blobs, and that this trumps the mionor lsplit argument. > > The benefit of using 'alg' is unclear compared to spelling out the word > 'algorithm' which adds clarity for developers. Agree that 'algorithm' is easier to understand and preferable to 'alg' -- Dick
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
