Re: [OAUTH-WG] MAC Tokens body hash

Skylar Woodward <> Tue, 02 August 2011 23:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5FCA111E80F4 for <>; Tue, 2 Aug 2011 16:01:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RVMS3b6AdBaM for <>; Tue, 2 Aug 2011 16:01:58 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 6C85211E80F2 for <>; Tue, 2 Aug 2011 16:01:58 -0700 (PDT)
Received: from ([]) (using TLSv1) by ([]) with SMTP ID DSNKTjiB6TKTKO9dSbpGl/g/; Tue, 02 Aug 2011 16:02:09 PDT
Received: by wyg24 with SMTP id 24so231627wyg.13 for <>; Tue, 02 Aug 2011 16:02:00 -0700 (PDT)
Received: by with SMTP id u59mr2355944wel.4.1312326120594; Tue, 02 Aug 2011 16:02:00 -0700 (PDT)
Received: from [] ( []) by with ESMTPS id a43sm156964wed.28.2011. (version=TLSv1/SSLv3 cipher=OTHER); Tue, 02 Aug 2011 16:02:00 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: text/plain; charset="us-ascii"
From: Skylar Woodward <>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723450245F611B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Wed, 03 Aug 2011 01:01:58 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <90C41DD21FB7C64BB94121FBBC2E723450245F611B@P3PW5EX1MB01.EX1.SECURESERVER.NET>
To: Eran Hammer-Lahav <>
X-Mailer: Apple Mail (2.1244.3)
Cc: Ben Adida <>, OAuth WG <>, "'Adam Barth ('" <>
Subject: Re: [OAUTH-WG] MAC Tokens body hash
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Aug 2011 23:01:59 -0000

(not necessarily for losing a way to sign the body, but for simplicity and avoiding some of the potential inconsistencies w/ bodyhash).

Is your plan to reserve an empty line 6 for the Normalized Request String (which was used for bodyhash) or eliminate it, brining the total to six elements?


On Jul 30, 2011, at 3:43 AM, Eran Hammer-Lahav wrote:

> I plan to drop support for the bodyhash parameter in the next draft based on bad implementation experience. Even with simple text body, UTF encoding has introduced significant issues for us. The current draft does not work using simple JS code between a browser and node.js even when both use the same v8 engine due to differences in the body encoding. Basically, the JS string used to send a request from the browser is not the actual string sent on the wire.
> To fix that, we need to force UTF-8 encoding on both sides. However, that is very much application specific. This will not work for non-text bodies. Instead, the specification should offer a simple way to use the ext parameter for such needs, including singing headers. And by offer I mean give examples, but leave it application specific for now.
> I am open to suggestions but so far all the solutions I came up with will introduce unacceptable complexity that will basically make this work useless.
> _______________________________________________
> OAuth mailing list