We had a discussion today about the MAC token spec. There was confusion was to whether payload body included the headers or just the HTTP request message body. I think the confusion comes about because of subtle term differences in other RFCs, see the message from Ron below...
From Ron: > I took a look at rfc's 2626 (and 822) on the structure of http request > messages, and I think at worst the > terminology used in HTTP Authentication: MAC Access Authentication could be > improved. > > the headers are indeed separated from the the message body, but the use of > the term payload may be confusing > since it apparently refers to the entire message > > so for example, the MAC document uses., "The HTTP request payload body", > apparently to refer to the message body within the message payload. > > that may be fine, or it might be better to use "The HTTP request message > body", as that more correlates to the terms used in > 2626 > > > <quote> > HTTP-message = Request | Response ; HTTP/1.1 messages > Request (section 5) and Response (section 6) messages use the generic message > format of RFC 822 [9] for transferring entities (the payload of the message). > Both types of message consist of a start-line, zero or more header fields > (also known as "headers"), an empty line (i.e., a line with nothing preceding > the CRLF) indicating the end of the header fields, and possibly a > message-body. > > generic-message = start-line > *(message-header CRLF) > CRLF > [ message-body ] > start-line = Request-Line | Status-Line > </quote> > > It appears that MAC Access Authentication was not intended to protect header > values (other than the HOST header); that probably makes things much simpler, > as otherwise, as Phil suggested, there could be a cyclic dependency in the > mac calculation. > I agree, the recommendation to use "HTTP request message body" is clearer than "HTTP request payload body". Phil @independentid www.independentid.com phil.h...@oracle.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
