Thoughts about Digital Signatures for the Open Web Authentication (OAuth) Protocol
draft-tschofenig-oauth-signature-thoughts-00

Document Type Expired Internet-Draft (individual)
Authors Hannes Tschofenig  , Blaine Cook 
Last updated 2010-10-18
Stream (None)
Intended RFC status (None)
Formats
Expired & archived
plain text html xml pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at
https://www.ietf.org/archive/id/draft-tschofenig-oauth-signature-thoughts-00.txt

Abstract

The initial version of the Open Web Authentication Protocol (OAuth 1.0), often referred to as the community addition, included an mechanism for putting a digital signature (when using asymmetric keys) or a keyed message digest (when using symmetric keys) to a resource request when presenting the OAuth token. This cryptographic mechanism has lead to lots of discussions, particularly about the problems implementers had, the use cases it supports, and the benefit-cost tradeoff. This document tries to describe the use of the so-called 'OAuth Signature' mechamism in an unbiased and less emotional way with the main purpose to conclude the discussions.

Authors

Hannes Tschofenig (Hannes.Tschofenig@gmx.net)
Blaine Cook (romeda@gmail.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)