On Fri, May 14, 2010 at 11:00 AM, Dirk Pranke <[email protected]> wrote: > On Fri, May 14, 2010 at 1:15 AM, Maciej Stachowiak <[email protected]> wrote: >> There are also more subtle risks to shared secrets. If you are creating your >> secrets with a bad random number generator, then they will not in fact be >> unguessable and you have a huge vulnerability. Even security experts can >> make this mistake, here is an example that impacted a huge number of people: >> <http://www.debian.org/security/2008/dsa-1571>. >> > > Sure.
Is someone claiming that the CORS cookie solution does not require use of a random number generator? What's in the cookie and where did it come from? Access to a good random number generator is a requirement for either solution and so is not relevant to this discussion. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
