On Mon, Jun 13, 2011 at 7:17 PM, Manger, James H
wrote:
>>> This is a bit hacky, too hacky. Wouldn't it be better for a client that
>>> recognizes a special MAC cookie to use it to construct Authorization headers
>>> and omit it from Cookie headers?
>
>> Nope. Sending the value in the Cookie head
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Manger, James H
> Sent: Monday, June 13, 2011 6:11 PM
> There have been suggestions that the MAC calculation could/should cover
> the key id. In that situation it is even more crucial that
>> This is a bit hacky, too hacky. Wouldn't it be better for a client that
>> recognizes a special MAC cookie to use it to construct Authorization headers
>> and omit it from Cookie headers?
> Nope. Sending the value in the Cookie header is important to help
> servers implement this scheme withou
On Mon, Jun 13, 2011 at 6:11 PM, Manger, James H
wrote:
> A comment on the MAC draft [draft-ietf-oauth-v2-http-mac-00]:
>
> When MAC credentials are issued with a Set-Cookie response header [section
> 6] the spec says to use the cookie’s name as the MAC key identifier (eg
> “id=SID”). It would mak
A comment on the MAC draft [draft-ietf-oauth-v2-http-mac-00]:
When MAC credentials are issued with a Set-Cookie response header [section 6]
the spec says to use the cookie's name as the MAC key identifier (eg "id=SID").
It would make more sense to use the cookie's value (eg "id=31d4d96e407aad4
