Why not request the salt from the server? The server could choose whether to always use the same salt or to have rotating salts etc. The problem with specifying how to encrypt things in a public specification is that everybody knows how it is done, and therefore all you are doing is resetting the timer for hackers to figure things out. There should be something provided by servers that the server knows and trusts.
-Art C On Aug 30, 2012, at 11:21 AM, Jason H wrote: > Would it appease you if it were suggested that the standard be, that if no > SALT attribute is supplied on the INPUT field (zero length or not present), > the domain name of the ACTION attribute is used. In this way, you can > accomplish those consolidations and divestments between domains?
