On Sat, Oct 6, 2012 at 3:01 AM, Howard Lewis Ship <[email protected]> wrote:
>> Although I'm with Massimo on the random HMAC pass phrase, I don't
>> think the question should hold up a release. Having *some* HMAC
>> solution in place soon is important.
>
> I think having a random key is going to give people a false sense of
> security ("look, I don't even need to configure anything") and then
> big headaches ("why do some of my forms blow up with this HMAC
> thing?").
I don't want to transform this in a "bikeshed color" discussion but
having a random key or something along that way is far more secure
then the current default.
> The current solution runs, but emits the error that things could be more
> secure.
To my eyes this is a "false sense of security"
> I'm really thinking about using the AlertManager to force this into
> the developer's face.
I'd vote for that.
Cheers
--
Massimo
http://meridio.blogspot.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
