On Wednesday 06 January 2010 17:12:29 Elias Torres wrote: > > So that would be my defence of why it's better to put the > > "purpose" namespace into the key, rather than the value, in the > > context of HMAC. I'm not an expert though. > > Can a separator solve that issue?
In that instance, yes. I'm wary of other applications of HMAC producing loopholes in which the user provides the separator as part as the value being signed, and is able to generate the same string. In Tornado, they are suggesting have a separate key for signing cookies, in which case just signing "name=value" should be enough (provided the developer doesn't do something silly like make "=" part of the name of the cookie). Luke -- "Mediocrity: It takes a lot less time, and most people don't realise until it's too late." (despair.com) Luke Plant || http://lukeplant.me.uk/
-- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.