On 2010-07-10, at 9:58 AM, Paul Tarjan wrote:
> Hi OAuthers,
>
> First of all, I think I should introduce myself. I work at Facebook on the
> Platform team (anything not facebook.com). Before this I was at Yahoo! doing
> SearchMonkey (semantic web stuff). I've written a few OAuth applications and
> libraries, both at Yahoo and in my spare time.
>
> For Facebook apps we're going to use your signature scheme with the following
> changes:
I would hope you would think it is "our" signature scheme rather than "your"
signature scheme
>
> * the signature comes before the payload
> * we used the key 'algorithm' instead of 'alg' and 'expires' instead of
> 'not_before'
Good points to add to the discussion. Perhaps you would articulate why you made
those choices?
> * we aren't sending any keys except algorithm, expires, and oauth_token
> (since we're a special use case)
If you are a special use case, then not sure why there is any point in being a
standard.
Assuming you meant "parameters" instead of "keys"? "key" has special meaning
when you are discussing crypto.
> * we named the parameter signed_request because it is the signed part of a
> request
Which parameter?
>
> We would love if you could adopt those changes. Then you'd have a real world
> implementation out the door already :) We plan on launching July 20.
Er, we welcome feedback on the standard. Facebook can deploy whatever they want
to deploy. An early implementation is useful to see what the issues might be.
While possible, it is unlikely what you deploy will be the standard.
>
> Paul
>
> Sent from my iPhone
Thanks for letting us know what device you use.
-- Dick
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
