Re: [OAUTH-WG] proposal for signatures

would your proposal allow to issue and use HMAC Verification Keys in the 
same way as the "old" token secrets, i.e. an AS would issue such keys 
along with tokens to the OAuth client? A special key id could be used to 
indicate this scenario.

regards,
Torsten.

Am 21.06.2010 09:04, schrieb Dirk Balfanz:
> Hi guys,
>
> I think I owe the list a proposal for signatures.
>
> I wrote something down that liberally borrows ideas from Magic 
> Signatures 
> <http://salmon-protocol.googlecode.com/svn/trunk/draft-panzer-magicsig-00.html>, 
> SWT <http://groups.google.com/group/WRAP-WG/files>, and (even the name 
> from) JSON Web Tokens 
> <https://groups.google.com/group/WRAP-WG/browse_thread/thread/a99369c4b74d4cd0#>. 
>
>
> Here is a short document (called "JSON Tokens") that just explains how 
> to sign something and verify the signature:
> http://docs.google.com/document/pub?id=1kv6Oz_HRnWa0DaJx_SQ5Qlk_yqs_7zNAm75-FmKwNo4
>
> Here is an extension of JSON Tokens that can be used for signed OAuth 
> tokens:
> http://docs.google.com/document/pub?id=1JUn3Twd9nXwFDgi-fTKl-unDG_ndyowTZW8OWX9HOUU
>
> Here is a different extension of JSON Tokens that can be used for 
> 2-legged flows. The idea is that this could be used as a drop-in 
> replacement for SAML assertions in the OAuth2 assertion flow:
> http://docs.google.com/document/pub?id=1s4kjRS9P0frG0ulhgP3He01ONlxeTwkFQV_pCoOowzc
>
> I also have started to write some code 
> <http://code.google.com/p/jsontoken/source/browse/#svn/trunk/src/main/java/net/oauth/signatures> 
> to implement this as a proof-of-concept.
>
> Thoughts? Comments?
>
> Dirk.
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>    