While important, the body is not always available for inspection and hashing. All the parameters normalization is done to ensure it will be possible on even the most limited platform. The same cannot be done for the body. That's why it is optional.
EHL > -----Original Message----- > From: Skylar Woodward [mailto:sky...@kiva.org] > Sent: Tuesday, February 08, 2011 12:57 AM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 > > On Feb 8, 2011, at 6:45 AM, Eran Hammer-Lahav wrote: > > This authentication method comes with well understood security > properties. By making query parameters optional because of developer > ease, providers will be giving up an important part of the protection this > protocol offers. This is especially true for the majority of APIs where query > parameters are critical to the request integrity. > > Is the same then not true of content body? Why require one and not the > other? Either you trust providers to decide when the content/parameter > portions of a request (or an API) are critical to request integrity, or you > don't. > > With that argument you should just require a body hash and be done with it. > What's the argument to make it an optional part of the base string? _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
