I think this is a great addition to Django. I wanted to comment on some of the issues being discussed and hopefully provide a little insight into the _why_ of it all.
SHA-1 is perfectly fine for HMAC (as verified by Bruce Schneier, NIST, and several others). Here's why: SHA-1 ========== plaintext -> SHA-1 = hash HMAC-SHA-1 ============ plaintext + key -> SHA-1 = hash The key is --excuse the pun-- the key. The receiver of the message will use the key in the decryption process and will then be able to verify the authenticity and _integrity_ of the message. Assuming that the key exchange is safe (a completely different discussion), a collision in the hash space will not affect security in HMAC. A collision (in a simple hash) results when random plaintext creates the same hash as the "real" plaintext. An attacker can exploit this to open an avenue into your application. Because each party has the key, this avenue extremely unlikely to be open. If the attack is tried the validation of the hash fails because the receiver already has the key for the message. That being said, I would still use SHA-256...why use a weaker algorithm when a stronger one is available at almost no cost? I don't have the mathematical proof that a truncated hash is still valid (someone jump in if they do) but the logic holds if a smaller hash is required. Because the SHA algorithm diffuses changes in the plaintext throughout the resulting hash, truncating the SHA-256 hash simply reduces the possible hash space, thus increasing the possibility of a collision. There may be other ramifications but it's definitely worth exploring. (I'm checking out the other threads right now). Is the short URL requirement really required by the large community? (honest question, not trying to be an @$$) Don't most email clients (including mobile) handle multi line URL's properly now? Also if you're planning on expanding the API in the future, please setup version-ing now. It's a lot easier to handle when it's built in from the start. Keep up the great work! Mark @marknca -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
