'Payload body' as defined by http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-14#section-3.3
Message body is the wire bits which may include a range of content encoding, compression, fragmentation, etc. The point is that the client can't really know what the message body is going to look like on the other side, but once the body has been properly "decoded", the original payload body is what we hash. EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt Sent: Wednesday, June 15, 2011 2:16 PM To: OAuth WG Subject: [OAUTH-WG] What constitutes "Payload Body" in MAC spec We had a discussion today about the MAC token spec. There was confusion was to whether payload body included the headers or just the HTTP request message body. I think the confusion comes about because of subtle term differences in other RFCs, see the message from Ron below... >From Ron: I took a look at rfc's 2626 (and 822) on the structure of http request messages, and I think at worst the terminology used in HTTP Authentication: MAC Access Authentication could be improved. the headers are indeed separated from the the message body, but the use of the term payload may be confusing since it apparently refers to the entire message so for example, the MAC document uses., "The HTTP request payload body", apparently to refer to the message body within the message payload. that may be fine, or it might be better to use "The HTTP request message body", as that more correlates to the terms used in 2626 <quote> HTTP-message = Request | Response ; HTTP/1.1 messages Request (section 5) and Response (section 6) messages use the generic message format of RFC 822 [9] for transferring entities (the payload of the message). Both types of message consist of a start-line, zero or more header fields (also known as "headers"), an empty line (i.e., a line with nothing preceding the CRLF) indicating the end of the header fields, and possibly a message-body. generic-message = start-line *(message-header CRLF) CRLF [ message-body ] start-line = Request-Line | Status-Line </quote> It appears that MAC Access Authentication was not intended to protect header values (other than the HOST header); that probably makes things much simpler, as otherwise, as Phil suggested, there could be a cyclic dependency in the mac calculation. I agree, the recommendation to use "HTTP request message body" is clearer than "HTTP request payload body". Phil @independentid www.independentid.com<http://www.independentid.com> phil.h...@oracle.com<mailto:phil.h...@oracle.com>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
