Re: [OAUTH-WG] Fwd: [Technical Errata Reported] RFC5849 (2550)

[Peter Saint-Andre]

Finally processed.

On 1/28/11 8:24 AM, Eran Hammer-Lahav wrote:

Verified as correct.

EHL

-----Original Message-----
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
Of Peter Saint-Andre
Sent: Thursday, November 18, 2010 6:26 PM
To: OAuth WG
Subject: [OAUTH-WG] Fwd: [Technical Errata Reported] RFC5849 (2550)

Folks, is this erratum accurate?


-------- Original Message --------
Subject: [Technical Errata Reported] RFC5849 (2550)
Date: Tue, 12 Oct 2010 09:42:17 -0700 (PDT)
From: RFC Errata System<rfc-edi...@rfc-editor.org>
To: e...@hueniverse.com, i...@iesg.org
CC: alasd...@lovefilm.com, rfc-edi...@rfc-editor.org


The following errata report has been submitted for RFC5849, "The OAuth 1.0
Protocol".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=5849&eid=2550

--------------------------------------
Type: Technical
Reported by: Alasdair McIntyre<alasd...@lovefilm.com>

Section: GLOBAL

Original Text
-------------
Section 3.1
oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"

Section 3.4.1.1
oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"

Section 3.4.1.3.1
oauth_signature="djosJKDKJSD8743243%2Fjdk33klY%3D"



Corrected Text
--------------
Section 3.1
oauth_signature="r6%2FTJjbCOr97%2F%2BUU0NsvSne7s5g%3D"

Section 3.4.1.1
oauth_signature="r6%2FTJjbCOr97%2F%2BUU0NsvSne7s5g%3D"

Section 3.4.1.3.1
oauth_signature="r6%2FTJjbCOr97%2F%2BUU0NsvSne7s5g%3D"


Notes
-----
(Apologies - this supercedes Errata ID 2549).

The signatures in sections 3.1, 3.4.1.1, and 3.4.1.3.1 of the RFC have
mistakenly been calculated as if with "GET". I have supplied the correct
"POST" signatures in the corrected text.

For reference, here is the perl script I used to calculate the signatures:

#!/usr/bin/perl
use strict;
use warnings;
use Digest::HMAC_SHA1;
use URI::Escape;
use MIME::Base64;

my $unsafe = '^-._~A-Za-z0-9';
my $client_secret = 'j49sk3j29djd';
my $token_secret = 'dh893hdasih9';
my $key = join('&', $client_secret, $token_secret);

my $uri_base = 'http%3A%2F%2Fexample.com%2Frequest';
my $params = join('', qw(
     a2%3Dr%2520b%26a3%3D2%2520q%26a3%3Da%26b5%3D
     %253D%25253D%26c%2540%3D%26c2%3D%26oauth_con
     sumer_key%3D9djdj82h48djs9d2%26oauth_nonce%3
     D7d8f3e4a%26oauth_signature_method%3DHMAC-SH
     A1%26oauth_timestamp%3D137131201%26oauth_tok
     en%3Dkkk9d7dh3k39sjv7
));

foreach my $method ('GET', 'POST') {
     my $base_sig = join('&', $method, $uri_base, $params);
     my $bin_sig = Digest::HMAC_SHA1::hmac_sha1($base_sig, $key);
     my $b64_sig = MIME::Base64::encode_base64($bin_sig, '');
     my $enc_sig = URI::Escape::uri_escape($b64_sig, $unsafe);
     printf "%-8s %s\n", $method, $enc_sig; }

Instructions:
-------------
This errata is currently posted as "Reported". If necessary, please use "Reply
All" to discuss whether it should be verified or rejected. When a decision is
reached, the verifying party (IESG) can log in to change the status and edit
the report, if necessary.

--------------------------------------
RFC5849 (draft-hammer-oauth-10)
--------------------------------------
Title               : The OAuth 1.0 Protocol
Publication Date    : April 2010
Author(s)           : E. Hammer-Lahav, Ed.
Category            : INFORMATIONAL
Source              : IETF - NON WORKING GROUP
Area                : N/A
Stream              : IETF
Verifying Party     : IESG

--
Peter Saint-Andre
https://stpeter.im/


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth