I'd lobby for something more than just prose, since for me, including the body or body hash in the HMAC is a pretty essential piece of security for any real implementation. I understand that you think it should not be 100% required by all servers, and hence should not be a specified field, but then I think it should be something like a "standard" extension.
For example, retain some of the existing text describing the bodyhash as using the same algorithm as the HMAC and show an example like: ext="bodyhash:k9kbtCIy0CkI3/FEfpS/oIDjk6k=" Are there any other specific things you see as common examples of ext values? Is there a suggested system for indicating or separating multiple ext values? It seems to me without a standardized way to include the body hash in the ext field, you immediately invite more diversity in implementations. It would also seem by putting it in the ext field, any client could include the hash even if the server doesn't require it? Best, Peter On Thu, Nov 24, 2011 at 12:21 AM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > In prose, sure. But I'd rather not go further than that. > > EHL > >> -----Original Message----- >> From: Peter Wolanin [mailto:peter.wola...@acquia.com] >> Sent: Wednesday, November 23, 2011 11:53 AM >> To: Eran Hammer-Lahav >> Cc: OAuth WG >> Subject: Re: [OAUTH-WG] MAC: body-hash >> >> As long as a specific service can make an ext containing the body hash >> required, I think this is fine. Can the spec include body hash as an >> example of >> an ext? >> >> Thanks, >> >> Peter >> >> On Sat, Nov 19, 2011 at 10:39 AM, Eran Hammer-Lahav >> <e...@hueniverse.com> wrote: >> > I want to reaffirm our previous consensus to drop the body-hash >> > parameter and leave the ext parameter. Body-hash as currently >> > specified is going to cause significant interop issues due to >> > character (and other) encoding issues. Providers who desire to MAC the >> > body can define their own ext use case. >> > >> > >> > >> > Let me know if you have an objection to this change. >> > >> > >> > >> > EHL >> > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> > >> >> >> >> -- >> Peter M. Wolanin, Ph.D. : Momentum Specialist, Acquia. Inc. >> peter.wola...@acquia.com : 781-313-8322 >> >> "Get a free, hosted Drupal 7 site: http://www.drupalgardens.com"; -- Peter M. Wolanin, Ph.D. : Momentum Specialist, Acquia. Inc. peter.wola...@acquia.com : 781-313-8322 "Get a free, hosted Drupal 7 site: http://www.drupalgardens.com"; _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
