On Tue, Jun 14, 2011 at 10:00 PM, Eran Hammer-Lahav wrote:
>> -Original Message-
>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
>> Of Manger, James H
>> Sent: Tuesday, June 14, 2011 7:06 PM
>> To: oauth
>> Subject: Re: [OAUTH-
gt; Subject: RE: [OAUTH-WG] FW: MAC: Cookie name or value as MAC key id
>
> >> How does the server know if a particular request with a
> >> "Authorization: MAC ..." header is using credentials from OAuth 2.0 or
> from Set-Cookie?
>
> > This should
>> How does the server know if a particular request with a "Authorization: MAC
>> ..." header is using credentials from OAuth 2.0 or from Set-Cookie?
> This should be pretty easy to resolve with a common-sense deployment and key
> identifiers.
You are right, Eran. Though putting a cookie-name in
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Manger, James H
> Sent: Tuesday, June 14, 2011 7:06 PM
> To: oauth
> Subject: Re: [OAUTH-WG] FW: MAC: Cookie name or value as MAC key id
>
> >>> Perhaps o
>>> Perhaps omitting the id parameter from the Authorization header
>>> would be an even better approach [when a cookie provides the key id]
>> Yeah, I've often wondered whether we should remove the id parameter
>> from the Authorization header. My understanding is that it plays some
>> important
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Adam Barth
> Sent: Tuesday, June 14, 2011 10:05 AM
> To: Manger, James H
> Cc: oauth
> Subject: Re: [OAUTH-WG] FW: MAC: Cookie name or value as MAC key id
>
> O
On Tue, Jun 14, 2011 at 7:25 AM, Manger, James H
wrote:
>>> There have been suggestions that the MAC calculation could/should cover
>>> the key id. In that situation it is even more crucial that the id field
>>> isn't just a
>>> name referring to the real value elsewhere - as then the security ch
