#27468: Move utils.crypto.salted_hmac() from SHA1 toward SHA256
-------------------------------------+-------------------------------------
Reporter: Tim Graham | Owner: Claude
Type: | Paroz
Cleanup/optimization | Status: assigned
Component: Utilities | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Claude Paroz):
Replying to [comment:7 Collin Anderson]:
> ...Add a "sha256:" prefix to new signatures, and a signature without an
algorithm should be assumed to be `SHA1`, similar to how a password
without an algorithm prefix is assumed to be `md5`.
That's the approach I choose for the CookieStorage part of my patch, I
also think it's a good upgrade path.
> The default `SIGNING_HASHERS` could be something like
`['django.core.signing.hashers.SHA256',
'django.core.signing.hashers.SHA1']` (or maybe just `['sha256', 'sha1']`)
Your idea about `SIGNING_HASHERS` could be handled separately. I'm not yet
convinced about use cases for that, but let's keep it in mind.
--
Ticket URL: <https://code.djangoproject.com/ticket/27468#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/067.d36e72b9f4a4150bf7e7ef4d6f943ac7%40djangoproject.com.
