[phpxmlrpc] [Fwd: xmlrpc signing]

Edd Dumbill edd@usefulinc.com
29 Oct 2002 07:48:00 +0000

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Any comments?  Please be sure to CC Andres.

-----Forwarded Message-----

From: Andres Salomon <dilinger@voxel.net>
To: edd@usefulinc.com
Subject: xmlrpc signing
Date: 29 Oct 2002 02:41:38 -0500

I'm attempting to add key signing to your xmlrpc library (I'll feed
changes back upstream once I'm done).  Once an xmlrpcmsg is about to be
sent, it is serialized, a private key is used to generate a signature of
the serialized data, and both are sent to the xmlrpc server.  The server
uses the client's public key to verify that the msg came from the actual
client; if verification is sucessful, decode the xmlrpcmsg as normal.

My hang-up is how to send the payload signature.  The way I'd prefer to do =
is a simple form variable; the XMLRPC spec states that the xmlrpc
message is the body of a HTTP-POST request, so I figure that leaves
HTTP-GET available for (ab)use.  I'd like to do this in a manner that
works with other xmlrpc implementations (if not supporting the
verification, silently ignoring the signature).

Have you heard of any other implementations that allow this, or similar
workarounds (perhaps passing the signature elsewhere)?  Do you have any

It's not denial.  I'm just selective about the reality I accept.
	-- Bill Watterson

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.2.1 (GNU/Linux)