> We use the random part of the key to make the encrypted part unguessable.
I thought the only requirement here (for protocol adherence) is that the whole LT identifier is unguessable, which is is prior to encryption. Are you saying encryption is required for some technical reason in SWF? I don't see a security reason to encrypt. > That said I can see if we can > create keys by phrase rather than by secret key which could make management > easier. Password-based encryption would be preferable, but it's still another (albeit easier) kind of key management. I'm still trying to identify the core reason for encryption: technical or security. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
