[rest-practices] proposed digital signature api
Bill Burke
bburke at redhat.com
Thu Feb 10 15:01:16 UTC 2011
On 2/10/11 9:57 AM, Bryan Kearney wrote:
> On 02/10/2011 09:38 AM, Bill Burke wrote:
>> FYI:
>>
>> http://bill.burkecentral.com/2011/02/10/proposed-http-digital-signature-protocol-and-api/
>>
>>
>>
>> If anybody has any feedback, it would be much welcomed.
>>
> Posted on the blog as well:
>
> As you mention, this feels alot like two-legged OAuth. Two legged OAuth
> gives you the signature plus the noonce which can protect you from
> replay attacks.
>
> So, my first thought would be to incorporate two legged OAuth. Barring
> that, it appears as if you are not signing query parameters? If I am
> looking for this as a means to do trust between two systems I would
> think I would want to get at least the url or query parameters in the
> signature.
>
I kinda wanted this to be orthogonal to the authentication mechanism, so
that users can use traditional authentication while supporting
signatures. And also allow clients/servers to ignore signatures if they
so desire. It didn't seem like this was really part of OAuth and more a
part of the overlying whole OAuth authentication protocol.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the rest-practices
mailing list