I don't want to kill this conversation but it might need to wait until I have a real keyboard. CAS IRC chat on Monday? Otherwise my responses will continue to be short. On Apr 7, 2011 11:14 AM, "Scott Battaglia" <[email protected]> wrote: > Yes the CAS protocol requirement is to be unguessable. Web Flow requires a > guessable parsable string with particular values. We solve both by attaching > a random string in front of the guessable part and encrypting it. The uuid > part is useless. Web Flow only cares about the second part. But if you just > encrypted the existing web flow key it would always be the same value. > On Apr 7, 2011 10:36 AM, "Marvin Addison" <[email protected]> wrote: >>> We use the random part of the key to make the encrypted part unguessable. >> >> I thought the only requirement here (for protocol adherence) is that >> the whole LT identifier is unguessable, which is is prior to >> encryption. Are you saying encryption is required for some technical >> reason in SWF? I don't see a security reason to encrypt. >> >>> That said I can see if we can >>> create keys by phrase rather than by secret key which could make > management >>> easier. >> >> Password-based encryption would be preferable, but it's still another >> (albeit easier) kind of key management. I'm still trying to identify >> the core reason for encryption: technical or security. >> >> M >> >> -- >> You are currently subscribed to [email protected] as: > [email protected] >> To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user
-- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
