Skip to main content

Thoughts about Digital Signatures for the Open Web Authentication (OAuth) Protocol

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors Hannes Tschofenig , Blaine Cook
Last updated 2010-10-18
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


The initial version of the Open Web Authentication Protocol (OAuth 1.0), often referred to as the community addition, included an mechanism for putting a digital signature (when using asymmetric keys) or a keyed message digest (when using symmetric keys) to a resource request when presenting the OAuth token. This cryptographic mechanism has lead to lots of discussions, particularly about the problems implementers had, the use cases it supports, and the benefit-cost tradeoff. This document tries to describe the use of the so-called 'OAuth Signature' mechamism in an unbiased and less emotional way with the main purpose to conclude the discussions.


Hannes Tschofenig
Blaine Cook

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)