Confirm
471
edits
Changes
→Signing Certificates
[[File:PICL-IdPAuth-signCertificateuse-session.png|Deriving Keys to Sign Using the CertificatesessionToken, signing certificates]]
The requestHMACkey is used in a HAWK (https://github.com/hueniverse/hawk/) request to provide integrity over the "signCertificate" request. It is used as credentials.key, while tokenID is used as credentials.id . HAWK includes the URL and the HTTP method ("POST") in the HMAC-protected data, and will optionally include the HTTP request body (payload) if requested.
For signCertificate(), it is critical to enable payload verification by setting options.payload=true (on both client and server). Otherwise a man-in-the-middle could submit their own public key, get it signed, and then delete the user's data on the storage servers.
[[File:PICL-IdPAuth-signRequestencrypt-passwordChange.png|Signing the signCertificate RequestServer encrypts passwordChange response]][[File:PICL-IdPAuth-encrypt-resetAccount.png|Client encrypts resetAccount request]]
HAWK provides one thing: integrity/authentication for the request contents (URL, method, and optionally the body). It does not provide confidentiality of the request, or integrity of the response, or confidentiality of the response.
