[doseta-discuss] suggestions/concerns on spec
Bill Burke
bburke at redhat.com
Thu Jun 2 12:25:50 PDT 2011
On 6/2/11 3:13 PM, Murray S. Kucherawy wrote:
>> -----Original Message-----
>> From: doseta-discuss-bounces at blackops.org [mailto:doseta-discuss-bounces at blackops.org] On Behalf Of Bill Burke
>> Sent: Thursday, June 02, 2011 12:10 PM
>> To: doseta-discuss at trusteddomain.org
>> Subject: Re: [doseta-discuss] suggestions/concerns on spec
>>
>> DOSETA pulls in public key propagation. Requires a bh field (you might
>> want to sign headers but no body). I'd like to see that stuff split off
>> and/or optional.
>
> That's curious. Why would you want to sign none of the body?
>
> (I've heard the email side of that argument, but I'm keen to hear new perspectives.)
>
You might want to sign one or more specifc headers only. I.e. if you're
sending some kind of a security token.
You might want to add a path field and sign that as part of a GET
request and use the signature for authentication/authorization.
Maybe this is bleeding into other domains/specifications, but it seems
crazy to me that everybody ends up defining their own way to sign a request.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the doseta-discuss
mailing list