Had some good feedback on news.ycombinator and programming.reddit - you can follow the threads here:
http://news.ycombinator.com/item?id=1030290 http://www.reddit.com/r/programming/comments/ald1m/calling_crypto_security_experts_help_review_the/ tptacek on news.ycombinator pointed out a timing attack based on our use of an insecure string comparison (an attack which affected Rails a while ago). We can fix that using a constant time string comparison such as this one: http://code.google.com/p/keyczar/source/diff?spec=svn414&old=411&r=414&format=unidiff&path=/trunk/python/src/keyczar/keys.py ascii on programming.reddit has convinced me to ditch the sep=":" argument and hard code the separator. Customising that doesn't feel like a feature anyone will ever need. They also repeated the advice to use SHA-256 - I think I'll almost certainly have to give up my quest for shorter signatures :( -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.