From andrewm at object-craft.com.au Wed Feb 13 20:34:14 2002 From: andrewm at object-craft.com.au (Andrew McNamara) Date: Wed, 13 Feb 2002 20:34:14 +1100 Subject: [albatross-users] Test message #2 Message-ID: <20020213093414.C99AA38DD5@coffee.object-craft.com.au> Testing - ignore me. -- Andrew McNamara, Senior Developer, Object Craft http://www.object-craft.com.au/ From andrewm at object-craft.com.au Thu Feb 21 10:34:05 2002 From: andrewm at object-craft.com.au (Andrew McNamara) Date: Thu, 21 Feb 2002 10:34:05 +1100 Subject: [albatross-users] Re: [Fwd: HTTP state management without cookies?] In-Reply-To: Your message of "Thu, 21 Feb 2002 04:18:52 +1100." <3C73DA7C.F2F3E054@optushome.com.au> Message-ID: <20020220233405.9F08C38F36@coffee.object-craft.com.au> [BTW, we've set up an albatross-users mailing list - go to the Albatross home page to subscribe: http://www.object-craft.com.au/projects/albatross/ >Pls see reference to AuthCookie in the M2Crypto module in the attached >msg - useful for Albatross? Yep - I had a look at this about a week ago. It suffers the same problem as lot of other crypto stuff: export restrictions and patents. In this case, there is functionality they require from openssl that is often disabled in US-sourced systems. While that's another good reason to avoid RedHat, it doesn't really help the new Albatross user - discovering that they not only need to download M2Crypto, but also rebuild and install openssl from source before they can use Albatross is going to be daunting - they're likely to give up before they start. And making security an optional extra makes all of us nervous - someone, eventually, will misunderstand, rely on the weak security, and get burnt. We do, in fact, need a more portable method of generating secure session id's (/dev/urandom is probably fine when it's available, but not so useful for Windows users). Maybe the cookie stuff can be extracted from M2Crypto (or, at least, their technique for generating good session keys utilised). -- Andrew McNamara, Senior Developer, Object Craft http://www.object-craft.com.au/ From djc at object-craft.com.au Thu Feb 21 21:10:48 2002 From: djc at object-craft.com.au (Dave Cole) Date: 21 Feb 2002 21:10:48 +1100 Subject: [albatross-users] Re: HTTP state management without cookies? In-Reply-To: <20020220233405.9F08C38F36@coffee.object-craft.com.au> References: <20020220233405.9F08C38F36@coffee.object-craft.com.au> Message-ID: >>>>> "Andrew" == Andrew McNamara writes: Andrew> [BTW, we've set up an albatross-users mailing list - go to the Andrew> Albatross home page to subscribe: Andrew> http://www.object-craft.com.au/projects/albatross/ >> Pls see reference to AuthCookie in the M2Crypto module in the >> attached msg - useful for Albatross? Andrew> Yep - I had a look at this about a week ago. Andrew> It suffers the same problem as lot of other crypto stuff: Andrew> export restrictions and patents. In this case, there is Andrew> functionality they require from openssl that is often disabled Andrew> in US-sourced systems. Andrew> While that's another good reason to avoid RedHat, it doesn't Andrew> really help the new Albatross user - discovering that they not Andrew> only need to download M2Crypto, but also rebuild and install Andrew> openssl from source before they can use Albatross is going to Andrew> be daunting - they're likely to give up before they start. Andrew> And making security an optional extra makes all of us nervous Andrew> - someone, eventually, will misunderstand, rely on the weak Andrew> security, and get burnt. Andrew> We do, in fact, need a more portable method of generating Andrew> secure session id's (/dev/urandom is probably fine when it's Andrew> available, but not so useful for Windows users). Maybe the Andrew> cookie stuff can be extracted from M2Crypto (or, at least, Andrew> their technique for generating good session keys utilised). Andrew and I discussed this and decided that the most simple solution would be to use a secret (like the MD5 pickle signing secret) in the session server to modify the time used to seed the random number generator. - Dave -- http://www.object-craft.com.au