diff options
author | friendica <info@friendica.com> | 2012-10-16 16:24:37 -0700 |
---|---|---|
committer | friendica <info@friendica.com> | 2012-10-16 16:24:37 -0700 |
commit | cdeb43f987862a3955700c6ac7b3b84231e5e062 (patch) | |
tree | ce88a8ac87a8b6ab27b04e4bf61491c3cd3d0152 /spec | |
parent | b233b9c63359002f25d3ae2ede2aa26b82d6d2e9 (diff) | |
download | volse-hubzilla-cdeb43f987862a3955700c6ac7b3b84231e5e062.tar.gz volse-hubzilla-cdeb43f987862a3955700c6ac7b3b84231e5e062.tar.bz2 volse-hubzilla-cdeb43f987862a3955700c6ac7b3b84231e5e062.zip |
more detail
Diffstat (limited to 'spec')
-rw-r--r-- | spec/zot-2012.txt | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/spec/zot-2012.txt b/spec/zot-2012.txt index bd84e63d0..d01af5c87 100644 --- a/spec/zot-2012.txt +++ b/spec/zot-2012.txt @@ -22,11 +22,16 @@ This information will identify a channel+site pair in the future. When contact i If a new location is provided, this process is repeated but only the new location needs to be verified and stored. -Messages are sent by providing this information in an HTTP post to the other site, along with a protocol version specifier and type of message. For some message types, the message is included. Others will require a security handshake with the remote site calling back the original to verify the identity assertion and the message is only collected at that time. +Messages are sent by providing this information in an HTTP post (*) to the other site, along with a protocol version specifier and type of message and a verification token. For message types which do not require identity validation, the message may be included. Others will require a security handshake with the remote site calling back the original to verify the identity assertion and the message is only collected at that time. Multiple messages may be sent, and a callback may result in the collection of multiple messages destined for this site, not necessarily limited to the channel/location which was asserted. +(*) A POST method is used for many protocol transactions as site "hardening" tools may place overly restrictive length limits on GET data. We are typically sending several encoded/encrypted strings and these requests are likely to fail on some sites and become a nagging support issue if a GET request is used. + +The verification token is signed by the remote site and the signed token returned during the callback. This verifies the identity of the callback - by matching with known tokens. + + Permissions: Permissions are available for several different activities. This list is enumerated by a POST to the permissions service with the above channel+location information. An array of permissions will be returned. If no identity assertion is made, a list of the default channel permissions is returned. |