- From: Tyler Close <tyler.close@gmail.com>
- Date: Fri, 14 May 2010 11:20:54 -0700
- To: Dirk Pranke <dpranke@chromium.org>
- Cc: Maciej Stachowiak <mjs@apple.com>, public-webapps <public-webapps@w3.org>
On Fri, May 14, 2010 at 11:00 AM, Dirk Pranke <dpranke@chromium.org> wrote: > On Fri, May 14, 2010 at 1:15 AM, Maciej Stachowiak <mjs@apple.com> wrote: >> There are also more subtle risks to shared secrets. If you are creating your >> secrets with a bad random number generator, then they will not in fact be >> unguessable and you have a huge vulnerability. Even security experts can >> make this mistake, here is an example that impacted a huge number of people: >> <http://www.debian.org/security/2008/dsa-1571>. >> > > Sure. Is someone claiming that the CORS cookie solution does not require use of a random number generator? What's in the cookie and where did it come from? Access to a good random number generator is a requirement for either solution and so is not relevant to this discussion. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Friday, 14 May 2010 18:21:28 UTC