Robert Quattlebaum wrote: > > On Jan 31, 2008, at 10:08 AM, Peter Saint-Andre wrote: >> We can specify that a session ID must be a UUID. I think that's a good >> idea. > > While I think using UUID's in general is a great idea, just keep in mind > that traditional UUID calculation implementations have security concerns > because they leak the MAC address of the primary network card. If you > are going to explicitly encourage the use of UUID's, I think you should > explicitly recommend against using UUID generation methods which would > leak such information.
Oh yes we've discussed that issue before. :) /psa
smime.p7s
Description: S/MIME Cryptographic Signature
