Myself and others feel that a spec for how to sign a request would be useful for other specifications. As I noted in a previous email, there was dismay when the signing of an OpenID message was very similar, but different than the signing in OAuth 1.0A.
Signing messages was a huge stumbling block for OAuth 1.0A deployment. Having a more general signing specification that leads to generic libraries for signing and verifying would be a GOOD THING IMHO. To be clear, I am not saying we should ignore signing, I see that it can be complex, particularly when you start looking at key discovery and multi algorithm support. I think it would be better to do it right in a spec rather than just including the OAUth 1.0A algorithm and it being cumbersome to deal with key management and alternative algorithm support. On 2010-09-27, at 10:01 AM, Igor Faynberg wrote: > > I mistyped, and just noticed that it looked strange. I meant to type: > Igor Faynberg wrote: >> ... >> But if both the OAuth signatures and the OAuth core specifications are >> complete and going for approval at the same time, why not actually have them >> in the same spec, especially given that THE (not "we") experts who have >> agreed working on this and ARE working on this? >> >> Igor >> >> >> >>> _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
