> 1. Is the encryption of the web flow key really necessary, or is the > addition of the random uuid to the key sufficient?
I think your analysis is correct if we simply want protocol adherence, but I believe the encryption was to support not being able to guess the concatenated flow and execution IDs. That said, I don't believe encryption offers any additional security value. I recommend we reconsider the symmetric encryption implementation due to the complexity it creates for clustered deployments. Key management is a drag on a single host; on multiple hosts it's a headache. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
