[11610] in cryptography@c2.net mail archive
Constructing "capability" URLs
daemon@ATHENA.MIT.EDU (Ng Pheng Siong)
Wed Sep 4 11:27:11 2002
Date: Wed, 4 Sep 2002 13:53:49 +0800
From: Ng Pheng Siong <ngps@netmemetic.com>
To: cryptography@wasabisystems.com, e-lang@mail.eros-os.org
(Pardon the crossposting.)
Hi,
I'm building a web app which, rather typically of web apps, constructs
URLs on the fly.
A URL concocted by my app looks like this:
https://whatever/object?action=something&expiry=timeval&cap=XXYYZZ
The "cap" at the end is supposed to be a capability. ;-)
One of my major objectives in this particular development effort is to
make it easy to automate the blackbox testing of my app. I imagine
URLs such as the above make it so: I can have code that invokes the
above URL without regard to the rest of the system.
(Does this make my app buzzword-compliant with REST, too? ;-)
I'm creating the capability thusly:
cap = hmac-sha1(key, "/object?action=something&expiry=timeval")
My questions:
1. Is the construction of the "cap" string ok? Should I stir other
info in? (The expiry timeval provides the temporal information.)
2. The key is created from /dev/random. How long should it be? In my
threat model, the key changes every few hours.
3. Any other thoughts?
TIA. Cheers.
--
Ng Pheng Siong <ngps@netmemetic.com> * http://www.netmemetic.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
