[rest-practices] proposed digital signature api
Bryan Kearney
bkearney at redhat.com
Thu Feb 10 15:26:15 UTC 2011
On 02/10/2011 10:01 AM, Bill Burke wrote:
>
>
> On 2/10/11 9:57 AM, Bryan Kearney wrote:
>> On 02/10/2011 09:38 AM, Bill Burke wrote:
>>> FYI:
>>>
>>> http://bill.burkecentral.com/2011/02/10/proposed-http-digital-signature-protocol-and-api/
>>>
>>>
>>>
>>>
>>> If anybody has any feedback, it would be much welcomed.
>>>
>> Posted on the blog as well:
>>
>> As you mention, this feels alot like two-legged OAuth. Two legged OAuth
>> gives you the signature plus the noonce which can protect you from
>> replay attacks.
>>
>> So, my first thought would be to incorporate two legged OAuth. Barring
>> that, it appears as if you are not signing query parameters? If I am
>> looking for this as a means to do trust between two systems I would
>> think I would want to get at least the url or query parameters in the
>> signature.
>>
>
> I kinda wanted this to be orthogonal to the authentication mechanism, so
> that users can use traditional authentication while supporting
> signatures. And also allow clients/servers to ignore signatures if they
> so desire. It didn't seem like this was really part of OAuth and more a
> part of the overlying whole OAuth authentication protocol.
>
>
Two legged takes the auth out of it.. it is really more of a trusted
system approach. The systtems share a secret, and then messages and
headers are signed using that secret. With the nonce and timestamp, you
are protected from most replay attacks as well as trust.
-- bk
More information about the rest-practices
mailing list