(Pardon the crossposting.) Hi,
I'm building a web app which, rather typically of web apps, constructs URLs on the fly. A URL concocted by my app looks like this: https://whatever/object?action=something&expiry=timeval&cap=XXYYZZ The "cap" at the end is supposed to be a capability. ;-) One of my major objectives in this particular development effort is to make it easy to automate the blackbox testing of my app. I imagine URLs such as the above make it so: I can have code that invokes the above URL without regard to the rest of the system. (Does this make my app buzzword-compliant with REST, too? ;-) I'm creating the capability thusly: cap = hmac-sha1(key, "/object?action=something&expiry=timeval") My questions: 1. Is the construction of the "cap" string ok? Should I stir other info in? (The expiry timeval provides the temporal information.) 2. The key is created from /dev/random. How long should it be? In my threat model, the key changes every few hours. 3. Any other thoughts? TIA. Cheers. -- Ng Pheng Siong <[EMAIL PROTECTED]> * http://www.netmemetic.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
