aboutsummaryrefslogtreecommitdiffstats
path: root/spec
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2012-10-16 16:24:37 -0700
committerfriendica <info@friendica.com>2012-10-16 16:24:37 -0700
commitcdeb43f987862a3955700c6ac7b3b84231e5e062 (patch)
treece88a8ac87a8b6ab27b04e4bf61491c3cd3d0152 /spec
parentb233b9c63359002f25d3ae2ede2aa26b82d6d2e9 (diff)
downloadvolse-hubzilla-cdeb43f987862a3955700c6ac7b3b84231e5e062.tar.gz
volse-hubzilla-cdeb43f987862a3955700c6ac7b3b84231e5e062.tar.bz2
volse-hubzilla-cdeb43f987862a3955700c6ac7b3b84231e5e062.zip
more detail
Diffstat (limited to 'spec')
-rw-r--r--spec/zot-2012.txt7
1 files changed, 6 insertions, 1 deletions
diff --git a/spec/zot-2012.txt b/spec/zot-2012.txt
index bd84e63d0..d01af5c87 100644
--- a/spec/zot-2012.txt
+++ b/spec/zot-2012.txt
@@ -22,11 +22,16 @@ This information will identify a channel+site pair in the future. When contact i
If a new location is provided, this process is repeated but only the new location needs to be verified and stored.
-Messages are sent by providing this information in an HTTP post to the other site, along with a protocol version specifier and type of message. For some message types, the message is included. Others will require a security handshake with the remote site calling back the original to verify the identity assertion and the message is only collected at that time.
+Messages are sent by providing this information in an HTTP post (*) to the other site, along with a protocol version specifier and type of message and a verification token. For message types which do not require identity validation, the message may be included. Others will require a security handshake with the remote site calling back the original to verify the identity assertion and the message is only collected at that time.
Multiple messages may be sent, and a callback may result in the collection of multiple messages destined for this site, not necessarily limited to the channel/location which was asserted.
+(*) A POST method is used for many protocol transactions as site "hardening" tools may place overly restrictive length limits on GET data. We are typically sending several encoded/encrypted strings and these requests are likely to fail on some sites and become a nagging support issue if a GET request is used.
+
+The verification token is signed by the remote site and the signed token returned during the callback. This verifies the identity of the callback - by matching with known tokens.
+
+
Permissions:
Permissions are available for several different activities. This list is enumerated by a POST to the permissions service with the above channel+location information. An array of permissions will be returned. If no identity assertion is made, a list of the default channel permissions is returned.