Content-HMAC instead of X-Signature

[Jeff Lindsay]

The signature aspect I talked about in the post I made on X-Callback was definitely an aside, but the discussion around has made me think about it more. Perhaps it's too presumptuous to attack any sort of general "signature" header. Instead, we could take what I proposed and find a good home for it. 

The basic idea of the signature I proposed was a simple HMAC for the content of the body. Perhaps we follow conventions put in place by the Authorization and Content-MD5 headers. 

From Wikipedia on Content-MD5:

"A Base64-encoded binary MD5 sum of the content of the response"

Example: 

Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==

Authorization we're familiar with but has the pattern of a schema definition before a base64 representation. Combine these ideas and you have:

Content-HMAC: sha1 C+7Hteo/D9vJXQ3UfzxbwnXaijM=

Compare this to what I suggested:

X-Signature: sha1=0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33

The primary differences are the more conventional and specific name, and a more conventional representation of the actual HMAC (base64 binary hash, not a hex representation).

Thoughts?

--
Jeff Lindsay
http://progrium.com

[Jeff Lindsay]

A post about this: http://progrium.com/blog/2012/12/17/http-signatures-with-content-hmac/