> It's the only way to prevent exposing the execution and snapshot ids. Why are we trying to protect those again? The data they point to are bound to the session, so you'd have to compromise the session to access anything meaningful. We're protocol compliant without encryption as Jon noted, so I think it's important to justify the security requirement for encryption.
> We have a constructor that takes a provided secret key rather than the > generated one. Providing the key is the key management headache I referred to for clustered deployments. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
