Apps Messaging: security
Mark Taylor
m.b.taylor at bristol.ac.uk
Tue Apr 10 05:31:05 PDT 2007
On Tue, 10 Apr 2007, John Taylor wrote:
>> It is probably wise to make that information available, for instance
>> there may be messages which pass around the public IDs of an application
>> which originated a data object, and the originating application might
>> need to identify itself in this context. In which case it looks like
>>
>> (secret-id,public-id) = register*(hub-secret)
>>
>
> Yes, that's probably better than providing a
>
> public-id=getPublicId(secret-id)
>
> which would be vulnerable to brute force. Alternatively, we could define the
actually that would be OK, and maybe tidier - we're vulnerable to
brute force in any case (app.exec(secret-id,args="rm -r .")).
We can just recommend that secret-ids ought to be hard to guess.
> public id of an app to be a digest of the private id. Too complicated?
neat, but would require access to MD5 libraries or whatever in application
code which is undesirable.
--
Mark Taylor Astronomical Programmer Physics, Bristol University, UK
m.b.taylor at bris.ac.uk +44-117-928-8776 http://www.star.bris.ac.uk/~mbt/
More information about the apps
mailing list