On Sep 25, 12:02 pm, Luke Plant <l.plant...@cantab.net> wrote: > In other web apps (I think Wordpress?), there have been problems > associated with use of secret keys when the same key is used for > different purposes throughout the application. > ... > - we add unique prefixes to the SECRET_KEY for every different > place it is used. So for the e-mail confirmation link, we use > HMAC("email-confirmation" + SECRET_KEY, message) > - also add the ability to do SECRET_KEY rotation, as Simon > suggested. This suggests we want a utility wrapper around hmac > that looks like hmac(unique_key_prefix, key, message) and handles > all the above details for us.
I share your concern. In the signed.py module I address your first point by allowing an additional "extra_key" parameter: >>> signed.dumps('hello', extra_key='ultra') 'UydoZWxsbycKcDAKLg.1XYDpILo5xqSwImfa3WuJJT4RPo' >>> signed.loads(_, extra_key='ultra') 'hello' However, this is available on dumps and loads but not on sign and unsign - we should definitely implement it at those points instead. I'm going to ask on some web security mailing list about best practice for rotating keys. Do you have any further information on the WordPress problems? Cheers, Simon --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---