[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OAUTH-WG] RSA signing and web delegation

From: Brian Eaton <beaton at google.com>
To: oauth at ietf.org
Date: Thu, 5 Nov 2009 17:31:42 -0800

I spent a bit of time today wondering how to integrate RSA signing in
OAuth (which has obvious key distribution advantages) with requests
that only send access tokens (which has obvious usability advantages).

The only way I can think of to resolve these conflicts goes like this:

1) Initial requests for user approval (using the web delegation flow)
are signed using RSA.

2) Data requests are either not signed, or are signed only with the
token secret using HMAC.

3) Requests to renew access tokens (if we adopt something like the
scalable OAuth extension) are again signed using RSA.

Thoughts?

Cheers,
Brian

Follow-Ups:
- Re: [OAUTH-WG] RSA signing and web delegation
  - From: John Panzer
- Re: [OAUTH-WG] RSA signing and web delegation
  - From: Eran Hammer-Lahav

Prev by Date: [OAUTH-WG] Reviewers Needed: draft-hammer-oauth-03
Next by Date: Re: [OAUTH-WG] RSA signing and web delegation
Previous by thread: [OAUTH-WG] Reviewers Needed: draft-hammer-oauth-03
Next by thread: Re: [OAUTH-WG] RSA signing and web delegation
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.