Yes the CAS protocol requirement is to be unguessable. Web Flow requires a guessable parsable string with particular values. We solve both by attaching a random string in front of the guessable part and encrypting it. The uuid part is useless. Web Flow only cares about the second part. But if you just encrypted the existing web flow key it would always be the same value. On Apr 7, 2011 10:36 AM, "Marvin Addison" <[email protected]> wrote: >> We use the random part of the key to make the encrypted part unguessable. > > I thought the only requirement here (for protocol adherence) is that > the whole LT identifier is unguessable, which is is prior to > encryption. Are you saying encryption is required for some technical > reason in SWF? I don't see a security reason to encrypt. > >> That said I can see if we can >> create keys by phrase rather than by secret key which could make management >> easier. > > Password-based encryption would be preferable, but it's still another > (albeit easier) kind of key management. I'm still trying to identify > the core reason for encryption: technical or security. > > M > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
-- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
