Yes, there is certainly a risk if someone just checks the signature
and
does not verify the content of the message. This is a bad
implementation
of an authorization system, to be sure, and it's an issue that people
need to be aware of. But simply signing metadata doesn't completely
solve the problem, either. In both cases there can be parameters that
are outside of the signed request that need to be checked and treated
appropriately.
Ah, perhaps I was unclear. I didn't mean *signing* metadata, I meant
*sending* metadata. Using a completely made-up syntax:
1. Signer computes signature sig_val over data object:
{ user_agent: "Mozilla", method: "GET" }
2. Signer sends { signed_fields: ['user_agent', 'method'], sig:
sig_val }
3. Recipient reconstructs data object using signed_fields
4. Recipient verifies sig_val == sign(reconstructed_object)
--Richard
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
