Checkout oAuth, to either see how they used it, or for the algo's http://oauth.net Kyle On Sun, Jun 22, 2008 at 7:53 AM, Steve Finkelstein <sf@xxxxxxxxxxxxx> wrote: > Hi all, > > I'm working on a relatively straight forward Web API that'll have a > SOAP presence. The most secure way of going about doing > authentication would be undoubtedly client-certificate authentication. > I have been able to implement such a service straight forward as > there is plenty of documentation out there covering how to do so. I > have some clients who're reluctant to manage client certificates at > this point in time, and do prefer a communicated-key authentication, > very similar to what Amazon and a few of the other big boys do. I'm > having a bit of a difficult time coming up with multiple solutions as > to how to properly implement this for my service besides stuffing a > random hash into my database and making them send it to me over SSL > through their message payload. I can then compare the hash against > what's in the database + their IP, or something else. > > Would anyone be able to suggest some algorithm for the way I'm > handling the tokens that's more secure and less "brute-forcible" than > the methodology I described above? My objective in this exercise is > not to only authenticate who's sending me the SOAP envelope, but also > to ensure that whatever token/key system I implement is not open for > very simple brute force. If they're able to knock down my brick > house, I have other problems --- but I definitely want to build that > brick foundation. > > Suggestions, web articles, books etc., are all welcome! > > Thank you for any advice from you avid web service gurus. > > /sf > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >