Igor Eran Hammer-Lahav wrote:
I like this approach. It keeps the RSA signing in the delegation flow and not in the generic authentication method. This keeps the token as the sole authentication tool when making protected resources requests (no client credentials or RSA keys). EHL-----Original Message----- From: oauth-bounces at ietf.org [mailto:oauth-bounces at ietf.org] On Behalf Of Brian Eaton Sent: Thursday, November 05, 2009 5:32 PM To: oauth at ietf.org Subject: [OAUTH-WG] RSA signing and web delegation I spent a bit of time today wondering how to integrate RSA signing in OAuth (which has obvious key distribution advantages) with requests that only send access tokens (which has obvious usability advantages). The only way I can think of to resolve these conflicts goes like this: 1) Initial requests for user approval (using the web delegation flow) are signed using RSA. 2) Data requests are either not signed, or are signed only with the token secret using HMAC. 3) Requests to renew access tokens (if we adopt something like the scalable OAuth extension) are again signed using RSA. Thoughts? Cheers, Brian _______________________________________________ OAuth mailing list OAuth at ietf.org https://www.ietf.org/mailman/listinfo/oauth_______________________________________________ OAuth mailing list OAuth at ietf.org https://www.ietf.org/mailman/listinfo/oauth
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.