Thoughts about Digital Signatures for the Open Web Authentication (OAuth) Protocol

Document Type Expired Internet-Draft (individual)
Authors Hannes Tschofenig  , Blaine Cook 
Last updated 2010-10-18
Stream (None)
Expired & archived
plain text html xml pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


The initial version of the Open Web Authentication Protocol (OAuth 1.0), often referred to as the community addition, included an mechanism for putting a digital signature (when using asymmetric keys) or a keyed message digest (when using symmetric keys) to a resource request when presenting the OAuth token. This cryptographic mechanism has lead to lots of discussions, particularly about the problems implementers had, the use cases it supports, and the benefit-cost tradeoff. This document tries to describe the use of the so-called 'OAuth Signature' mechamism in an unbiased and less emotional way with the main purpose to conclude the discussions.


Hannes Tschofenig (
Blaine Cook (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)