[phpxmlrpc] [Fwd: xmlrpc signing]

[Edd Dumbill]

--=-Lv7HfejPBn3VZQJtyJYO
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Any comments?  Please be sure to CC Andres.

-----Forwarded Message-----

From: Andres Salomon <dilinger@voxel.net>
To: edd@usefulinc.com
Subject: xmlrpc signing
Date: 29 Oct 2002 02:41:38 -0500

I'm attempting to add key signing to your xmlrpc library (I'll feed
changes back upstream once I'm done).  Once an xmlrpcmsg is about to be
sent, it is serialized, a private key is used to generate a signature of
the serialized data, and both are sent to the xmlrpc server.  The server
uses the client's public key to verify that the msg came from the actual
client; if verification is sucessful, decode the xmlrpcmsg as normal.

My hang-up is how to send the payload signature.  The way I'd prefer to do =
it
is a simple form variable; the XMLRPC spec states that the xmlrpc
message is the body of a HTTP-POST request, so I figure that leaves
HTTP-GET available for (ab)use.  I'd like to do this in a manner that
works with other xmlrpc implementations (if not supporting the
verification, silently ignoring the signature).

Have you heard of any other implementations that allow this, or similar
workarounds (perhaps passing the signature elsewhere)?  Do you have any
suggestions?

--=20
It's not denial.  I'm just selective about the reality I accept.
	-- Bill Watterson


--=-Lv7HfejPBn3VZQJtyJYO
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA9vj0wrxbtsbubhxERAilmAKDiXD3611XdpJwuvb9LVJtJgitmNwCgvjYv
5I5jkwpT+/IorJygGosXuCE=
=ODkn
-----END PGP SIGNATURE-----

--=-Lv7HfejPBn3VZQJtyJYO--