[phpxmlrpc] [Fwd: xmlrpc signing]
29 Oct 2002 07:48:00 +0000
Any comments? Please be sure to CC Andres.
From: Andres Salomon <firstname.lastname@example.org>
Subject: xmlrpc signing
Date: 29 Oct 2002 02:41:38 -0500
I'm attempting to add key signing to your xmlrpc library (I'll feed
changes back upstream once I'm done). Once an xmlrpcmsg is about to be
sent, it is serialized, a private key is used to generate a signature of
the serialized data, and both are sent to the xmlrpc server. The server
uses the client's public key to verify that the msg came from the actual
client; if verification is sucessful, decode the xmlrpcmsg as normal.
My hang-up is how to send the payload signature. The way I'd prefer to do =
is a simple form variable; the XMLRPC spec states that the xmlrpc
message is the body of a HTTP-POST request, so I figure that leaves
HTTP-GET available for (ab)use. I'd like to do this in a manner that
works with other xmlrpc implementations (if not supporting the
verification, silently ignoring the signature).
Have you heard of any other implementations that allow this, or similar
workarounds (perhaps passing the signature elsewhere)? Do you have any
It's not denial. I'm just selective about the reality I accept.
-- Bill Watterson
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----