[rest-practices] proposed digital signature api
Bryan Kearney
bkearney at redhat.com
Thu Feb 10 14:57:29 UTC 2011
On 02/10/2011 09:38 AM, Bill Burke wrote:
> FYI:
>
> http://bill.burkecentral.com/2011/02/10/proposed-http-digital-signature-protocol-and-api/
>
>
> If anybody has any feedback, it would be much welcomed.
>
Posted on the blog as well:
As you mention, this feels alot like two-legged OAuth. Two legged OAuth
gives you the signature plus the noonce which can protect you from
replay attacks.
So, my first thought would be to incorporate two legged OAuth. Barring
that, it appears as if you are not signing query parameters? If I am
looking for this as a means to do trust between two systems I would
think I would want to get at least the url or query parameters in the
signature.
-- bk
More information about the rest-practices
mailing list