Turns out that I need a PKI for meet requirement... HMAC with password can help but it not an electronic signature just part of the design depend of the design...
:( Richard On Tue, Apr 28, 2015 at 8:58 PM, Derek <[email protected]> wrote: > that would do it... but only the user could check the validity. > > > On Tuesday, April 28, 2015 at 3:19:03 PM UTC-7, Niphlod wrote: >> >> I meant an hmac with the user supplying the key, of course. That puts you >> on the safe-side of db admin tampering. >> >> On Tuesday, April 28, 2015 at 11:32:47 PM UTC+2, Derek wrote: >>> >>> I'd have to agree, put the user account (email, username, whatever) and >>> the fields all together, calculate hmac on that, and store it. If someone >>> changes the data, the hmac won't match and you'll see it's not valid. Of >>> course, an admin could just go in and modify the hmac signature after >>> updating the record... so you aren't protecting yourself from a malicious >>> administrator with the hmac case. >>> >>> -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
