> -----Original Message----- > From: Skylar Woodward [mailto:sky...@kiva.org] > Sent: Monday, February 07, 2011 9:25 AM > To: Eran Hammer-Lahav; OAuth WG > Subject: Re: [OAUTH-WG] draft-hammer-oauth-v2-mac-token-02 > > On body-hash... > > Having completed a trial implementation, it seems redundant, and > potentially problematic, to include the body-hash in the Authentication > header. The danger is that implementors may neglect to recalculate the hash > themselves, reusing the value (even if incorrect) provided by the client. Why > not just require the provider to calculate this and validate it by comparing > the > final signature? This way it's clearer for everyone what the expectations are > in validating the signature.
I actually like this "feature". If the server doesn't care about body integrity for whatever reason (based on its security analysis), it van still validate the request without bothering to validate the body hash. EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
