On Jan 4, 2:45 pm, Jordan Christensen <thebi...@gmail.com> wrote: > Is there a good way to make it forward upgradeable? Allow the > developer to decide on the shorter SHA-1 hash or the (theoretically) > more secure SHA-256?
There is - we can expand the BACKEND setting which is already in place for signed cookies (but not for other clients of the Signer class). I think we should do this. For one thing, it would mean we could provide a backend which uses the Google keyczar Python library instead of the code that we write. keyczar is properly audited, but depends on PyCrypto so isn't appropriate as a required dependency of Django. Another thing we can do is use SHA-256 but truncate the HMAC to 128 characters. Apparently it's perfectly fine to do this - it's being discussed in the programming.reddit thread at the moment. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.