last call for comments on body signing

[Brian Eaton]

Hi folks -

I've neglected the body signing specification for a few months and I'd
like to wrap it up. A fresh draft is here:

http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/3/spec.html

Changes:
- language cleaned up to be more precise
- more detailed example

Things that have not changed:
- no, I'm not going to do anything about HTTP header integrity. Write
another spec if you want that.

I'm aiming to have a couple of reference implementations and a final
spec by next Friday, March 20th.

Cheers,
Brian

[Chris Chabot]

LGTM

[Louis Ryan]

LGTM+++++

[Apurv Gupta]

LGTM++

[Adam Winer]

+1

[John Panzer]

+1

(And, I think it'd be good to have a warning about needing to apply the hash code calculation to the right set of bytes -- it appears trivial at first glance, but isn't, and I can see that being a source of interop problems.  It'd also be nice to have something between the spec and implemented libraries that describes the gotchas -- maybe a wiki page?)

[Charlie Jiang]

Hi Brian,

Sorry to be very late to comment on this. Are we suggesting to push this
to be part of OAuth spec? If so, have we talked to them?

-Charlie

[Brian Eaton]

Yes, we're pushing this to be an optional, backwards-compatible, part
of the OAuth specification. I've gotten good feedback from the OAuth
community so far.

The backwards compatible piece is pretty important; the idea is that
clients can opt-in to body signing without breaking existing
compatibility with existing service providers.

[Brian Eaton]

Progress update:

There is a new draft out, with clarifications based on feedback and
implementation experience:

http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/4/spec.html

There are pending shindig code reviews for the implementation:

http://codereview.appspot.com/27054/show
http://codereview.appspot.com/28042/show
http://codereview.appspot.com/28075/show

Cheers,
Brian