inadarei / pubsubhubbub

Automatically exported from code.google.com/p/pubsubhubbub
Other
0 stars 0 forks source link

Properly document HMAC usage #90

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
From Nick Johnson

> The hubbub spec, in section 7.4, says:
>
http://pubsubhubbub.googlecode.com/svn/trunk/pubsubhubbub-core-0.2.html#authedno
tify
>
> "The signature MUST be computed by appending the hub.secret value to the
> request body and then generating the combined string's HMAC using the SHA1
> algorithm."
>
> However, HMAC has a specific definition, in RFC2104, which allows for
> composing HMACs from secure hash algorithms. It's constructed specifically
> to make it more difficult to forge or brute-force an HMAC, a property the
> description in the hubbub spec lacks.
>
> Why does the hubbub spec use this ad-hoc construction instead of a proper
> HMAC?

Original issue reported on code.google.com by bslatkin on 19 Oct 2009 at 1:13

GoogleCodeExporter commented 9 years ago

Original comment by bslatkin on 8 Feb 2010 at 11:28

GoogleCodeExporter commented 9 years ago
Addressed in 0.3 draft spec

Original comment by bslatkin on 9 Feb 2010 at 6:05