[Changeset] r16693 - django/trunk/docs/topics

Fri, 26 Aug 2011 01:18:11 -0700 

Author: mtredinnick
Date: 2011-08-26 01:18:05 -0700 (Fri, 26 Aug 2011)
New Revision: 16693

Modified:
   django/trunk/docs/topics/signing.txt
Log:
Fixed documentation about use of salt parameter in signing functions.

Fixes #16369.

Modified: django/trunk/docs/topics/signing.txt
===================================================================
--- django/trunk/docs/topics/signing.txt        2011-08-26 06:19:30 UTC (rev 
16692)
+++ django/trunk/docs/topics/signing.txt        2011-08-26 08:18:05 UTC (rev 
16693)
@@ -78,11 +78,10 @@
 Using the salt argument
 -----------------------
 
-If you do not wish to use the same key for every signing operation in your
-application, you can use the optional ``salt`` argument to the ``Signer``
-class to further strengthen your :setting:`SECRET_KEY` against brute force
-attacks. Using a salt will cause a new key to be derived from both the salt
-and your :setting:`SECRET_KEY`::
+If you do not wish for every occurrence of a particular string to have the same
+signature hash, you can use the optional ``salt`` argument to the ``Signer``
+class. Using a salt will seed the signing hash function with both the salt and
+your :setting:`SECRET_KEY`::
 
     >>> signer = Signer()
     >>> signer.sign('My string')
@@ -93,6 +92,14 @@
     >>> signer.unsign('My string:Ee7vGi-ING6n02gkcJ-QLHg6vFw')
     u'My string'
 
+Using salt in this way puts the different signatures into different
+namespaces.  A signature that comes from one namespace (a particular salt
+value) cannot be used to validate the same plaintext string in a different
+namespace that is using a different salt setting. The result is to prevent an
+attacker from using a signed string generated in one place in the code as input
+to another piece of code that is generating (and verifying) signatures using a
+different salt.
+
 Unlike your :setting:`SECRET_KEY`, your salt argument does not need to stay
 secret.
 

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to