Re: Query regarding the security token

Thu, 22 May 2008 22:22:10 -0700 

Hi Chris,

I have one more query. If we encrypt our token, then is it like it should be 
encrypted in a specific format only, if yes then whats the format? Is the 
format used in the file BasicBlobCrypter the standard one and we should follow 
that only?

Regards,
      Lini Haridas
      Software Engineer

      [EMAIL PROTECTED] 
      Clarion Technologies
      SEI CMMI Level 3 Company

      4th Floor, Great Eastern Plaza, 
      Airport Road, 
      Pune- 411 006,
      Maharashtra, India. 
      Phone: +91 20 66020289
      Mobile: +91 9823435917
      www.clariontechnologies.co.in 
 
----- Original Message ----- 
From: "Brian Eaton" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, May 23, 2008 12:45 AM
Subject: Re: Query regarding the security token


> On Thu, May 22, 2008 at 9:27 AM, Gary Helmling <[EMAIL PROTECTED]> wrote:
>> All that encryption adds is hiding the values themselves (owner id,
>> viewer id, module id, app id, domain, app url), which given the values
>> and the fact that they're probably available in many other ways, I'm
>> wondering what the benefit of hiding those is.
> 
> You are absolutely correct that integrity is essential for the token,
> and encryption may be optional.
> 
> As an example of why encryption may be useful consider Google: we have
> internal identifiers for users that we keep secret.  We are willing to
> give gadgets an opaque identifier for the user, but not our real
> internal identifier.
> 
> I suggest that everyone encrypt this token, for the following reasons:
> - opacity of the token keeps gadgets from making unsafe assumptions
> about token format.
> - sometimes there is confidential information in the token.
> - encryption is easy and cheap.  There is no down side.
> 
> If you have some particular environment where you can't use encryption
> for the token, that's fine, but please be cautious about recommending
> that other people not encrypt.  They are not necessarily working in
> your environment.
> 
> Cheers,
> Brian
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Reply via email to