Thoughts about Digital Signatures for the Open Web Authentication (OAuth) Protocol
draft-tschofenig-oauth-signature-thoughts-00
| Document | Type | Expired Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Hannes Tschofenig , Blaine Cook | ||
| Last updated | 2010-10-18 | ||
| Stream | (None) | ||
| Formats |
Expired & archived
plain text
html
xml
htmlized
pdfized
bibtex
|
||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | Expired | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
https://www.ietf.org/archive/id/draft-tschofenig-oauth-signature-thoughts-00.txt
Abstract
The initial version of the Open Web Authentication Protocol (OAuth 1.0), often referred to as the community addition, included an mechanism for putting a digital signature (when using asymmetric keys) or a keyed message digest (when using symmetric keys) to a resource request when presenting the OAuth token. This cryptographic mechanism has lead to lots of discussions, particularly about the problems implementers had, the use cases it supports, and the benefit-cost tradeoff. This document tries to describe the use of the so-called 'OAuth Signature' mechamism in an unbiased and less emotional way with the main purpose to conclude the discussions.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)