sbp commented on issue #233: URL: https://github.com/apache/tooling-trusted-release/issues/233#issuecomment-3299232607
[GitHub use](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github) `ghp_`, `github_pat_`, `gho_`, `ghu_`, `ghs_`, `ghr_`. [GitLab use](https://docs.gitlab.com/security/tokens/) `glpat-`, `gloas-`, `gldt-`, `glrt-`, `glrtr-`, `glcbt-`, `glptt-`, etc. [Stripe use](https://docs.stripe.com/keys) `sk_test_`, `pk_test_`, `rk_test_` for test keys. [Slack use](https://docs.slack.dev/authentication/tokens/) `xoxb-`, `xwfp-`, `xoxp-`, and `xapp-`. [NPM use](https://github.blog/security/announcing-npms-new-access-token-format/) `npm_`, with a little note about why they chose underscore: "Moreover, the delimiter following after is no longer a - but an underscore _ which means that the full token can be selected when double-clicked (saving you 0.005 seconds 🎉 )." They also include a checksum, which is interesting: "The last six characters of the tokens consist of CRC32 checksum, which is encoded in our Base62 implementation to further eliminate false positives when scanning for leaked tokens." Also [GitHub give rationale about the underscore](https://github.blog/security/announcing-npms-new-access-token-format/): "An underscore is not a Base64 character which helps ensure that our tokens cannot be accidentally duplicated by randomly generated strings like SHAs." We could use something like `asf` as a general prefix, `t` for tooling, `a` for the atr, and then I suppose a token type, e.g. `p` for PATs. That would give e.g. `asftap-`, which is still reasonably short, but well scoped, with room for extensibility across the whole foundation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
