I do not want to allow the client any flexibility in choosing the algorithm
once a MAC key has been issued. Every other standard provide a negotiation step
in which the client can figure out which algorithms are available, and
therefore needs to indicate which one was used. I don't want to suppo
Eran,
>> 16. OAuth2 can provide a "secret" as a Unicode string. MAC algorithms such
>> as HMAC use a key that is a byte array. Section 2 of the MAC spec says
>> 'secret'
>> can only include printable ASCII chars (except " and /). This is not quite
>> right.
>> The MAC scheme should expect 'secret
Eran,
>> 13. The MAC algorithm should be explicitly indicated in the request, instead
>> of being implied by the access-token/id. I suggest including an "algorithm"
>> parameter in the "Authorization" request header. I also suggest including an
>> "algorithms" parameter in the "WWW-Authenticate" r
>> 14. Explicitly state in section 3.3.2 (and 3.3.3) that SHA-1 (and SHA-256)
>> are
>> used to calculate the body hash when using the hmac-sha-1 (and hmac-sha-
>> 256) algorithm.
> Why isn't 3.2 enough? That's where body hash is discussed.
3.2 says the "body hash algorithm is determined by the
Thanks James.
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Manger, James H
> Sent: Thursday, February 03, 2011 9:23 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] MAC: more comments on draft-hammer-oauth-v2-
> mac-token-02
>
> Comments