search

ankurpiyush26 / pubsubhubbub

Automatically exported from code.google.com/p/pubsubhubbub
Other
1 stars 0 forks source link

Document hub.secret and how HMACs will work #32

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
SUMMARY:

As an extra level of protection and provability, we're going to have Hubs
generate an HMAC signature of their payloads for each subscriber URL.

RELEVANT SECTION:  Affects subscription and notification.

COMMENT/REQUEST:

The signature will go in a header like this:

X-Hub-Signature: sha1=12aab312cc492dd149...

For now sha1 MUST be accepted. We may add support for other algorithms in
the future.

Original issue reported on code.google.com by bslatkin on 16 Jul 2009 at 7:16

GoogleCodeExporter commented 9 years ago 
Doesn't this require a shared secret key? How is that shared?

Original comment by progr...@gmail.com on 18 Jul 2009 at 10:15

GoogleCodeExporter commented 9 years ago 
More discussion in this thread:

http://groups.google.com/group/pubsubhubbub/browse_thread/thread/85f5d47974e5700
8/21fe4012db20f884?lnk=gst&q=hub.secret#21fe4012db20f884

Original comment by bslatkin on 20 Jul 2009 at 6:25

GoogleCodeExporter commented 9 years ago 
Note that this is an extension proposal, not part of the core spec.

Original comment by bslatkin on 22 Jul 2009 at 5:26

GoogleCodeExporter commented 9 years ago 
We've decided to make this part of the core spec.

Three parts to this:
1. Sub to Hub (hub.secret parameter)
2. Hub hash on delivery
3. Aggregation

Aggregation is the most interesting. If a subscriber has a single callback URL 
for
all subscriptions, and the same hub.secret for all of them, then we will do
aggregation by signing the whole aggregated payload.

Original comment by bslatkin on 27 Aug 2009 at 4:10

GoogleCodeExporter commented 9 years ago

Original comment by bslatkin on 27 Aug 2009 at 11:54

GoogleCodeExporter commented 9 years ago 
Addressed in 0.2

Original comment by bslatkin on 2 Sep 2009 at 1:21