Re: [OAUTH-WG] Proposal: OAuth 1.0 signature in core with revision

[Lukas Rosenstock <lr@lukasrosenstock.net>]

In my opinion, there could be two arguments against including 1.0 signatures
into the core:
1) The spec will be too long.
2) The signature mechanism isn't good, so it would be replaced with
something else anyway.
Is 1) a concern? For 2), I think the adoption of OAuth 1.0 speaks for the
signature mechanism being both feasible to implement and secure. Also as
it's already written it should not delay finishing the spec.

I agree with Dick Hardt that if the signatures are included, there should be
a mechanism to allow for different signature schemes who might be defined in
the future.

There's another question: What will be required for OAuth compliance? Is
only-bearer-tokens fine or must the signature mechanism be supported? Is it
fine to not allow both but only a third signature algorithm?

By not including signatures some people (those who strongly feel about
signatures) will feel OAuth 2 is somewhat "less" than OAuth 1 and stick with
OAuth 1 instead of the whole web world moving forward to a new standard.

2010/9/27 Eran Hammer-Lahav <eran@hueniverse.com>

> Building on John Panzer’s proposal, I would like to ask if people have
> strong objections to the following:
>
>
>
> - Add the 1.0a RFC language for HMAC-SHA-1 signatures to the core
> specification in -11
>
> - Discuss the signature language on the list and improve both prose and
> signature base string construction
>
> - Apply improvements to -12
>
>
>
> Keeping the 1.0a signature in the core specification makes sense and builds
> on existing experience and deployment. If we can reach quick consensus on
> some improvements, great. If not, we satisfy the need of many here to offer
> a simple alternative to bearer tokens, without having to reach consensus on
> a new signature algorithm suitable for core inclusion.
>