On 1/27/2014, 9:46 AM, Nick Alexander wrote:
Sync relaunch clients need to provide the X-Client-State header to the token server in order to not hit HMAC errors on key changes. We need to do this, it needs to be secure, but we can't version it client-side. Whee!From the token server docs: **X-Client-State** An optional base64-urlsafe string, up to 32 characters long, that can be sent to identity a unique configuration of client-side state. A change in the value of this header will cause the user's node allocation to be reset. Clients should include any client-side state that is necessary for accessing the selected app. Initial put How about HKDF(kB, salt=emailUTF8, context=KW("X-Client-State"), 16)?
Oops, I mean the base64-urlsafe encoding of these 16 bytes. Nick _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
