HMAC in 5.3.6

[Howard Lewis Ship <hl...@gmail.com>]

Nope, not in a hurry.  Maybe run the vote on Monday.



On Fri, Oct 5, 2012 at 4:49 PM, Bob Harner <bo...@gmail.com> wrote:
> Howard,
>
> Although I'm with Massimo on the random HMAC pass phrase, I don't
> think the question should hold up a release. Having *some* HMAC
> solution in place soon is important.

I think having a random key is going to give people a false sense of
security ("look, I don't even need to configure anything") and then
big headaches ("why do some of my forms blow up with this HMAC
thing?").

The current solution runs, but emits the error that things could be more secure.

I'm really thinking about using the AlertManager to force this into
the developer's face.

>
> I should be committing a few minor javadoc changes this weekend
> (finishing up TAP5-1735, the "package-info.java" files), but if you're
> in a hurry don't wait for me.
>
> On Thu, Oct 4, 2012 at 6:24 PM, Massimo Lusetti <ml...@gmail.com> wrote:
>> On Fri, Oct 5, 2012 at 12:18 AM, Howard Lewis Ship <hl...@gmail.com> wrote:
>>
>>> I think it might be time for a 5.3.6. This is what I'm showing as fixed:
>>
>>>     * [TAP5-2008] - Serialized object data stored on the client should
>>> be HMAC signed and validated
>>
>> Please read my other on the HMAC signature before start the release.
>>
>> Cheers
>> --
>> Massimo
>> http://meridio.blogspot.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: dev-help@tapestry.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org
>



-- 
Howard M. Lewis Ship

Creator of Apache Tapestry

The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!

(971) 678-5210
http://howardlewisship.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org

Re: HMAC in 5.3.6

[Massimo Lusetti <ml...@gmail.com>]

On Mon, Oct 8, 2012 at 7:27 PM, Howard Lewis Ship <hl...@gmail.com> wrote:

> I've committed these changes
> - Default HMAC password is the application root package (so at least
> each app will have a different value)
> - AlertManager.error() called as well as logger.error()

Thank you

Cheers
-- 
Massimo

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org

Re: HMAC in 5.3.6

[Howard Lewis Ship <hl...@gmail.com>]

I've committed these changes
- Default HMAC password is the application root package (so at least
each app will have a different value)
- AlertManager.error() called as well as logger.error()

On Sat, Oct 6, 2012 at 3:21 PM, Massimo Lusetti <ml...@gmail.com> wrote:
> On Sat, Oct 6, 2012 at 3:01 AM, Howard Lewis Ship <hl...@gmail.com> wrote:
>
>>> Although I'm with Massimo on the random HMAC pass phrase, I don't
>>> think the question should hold up a release. Having *some* HMAC
>>> solution in place soon is important.
>>
>> I think having a random key is going to give people a false sense of
>> security ("look, I don't even need to configure anything") and then
>> big headaches ("why do some of my forms blow up with this HMAC
>> thing?").
>
> I don't want to transform this in a "bikeshed color" discussion but
> having a random key or something along that way is far more secure
> then the current default.
>
>> The current solution runs, but emits the error that things could be more secure.
>
> To my eyes this is a "false sense of security"
>
>> I'm really thinking about using the AlertManager to force this into
>> the developer's face.
>
> I'd vote for that.
>
> Cheers
> --
> Massimo
> http://meridio.blogspot.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org
>



-- 
Howard M. Lewis Ship

Creator of Apache Tapestry

The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!

(971) 678-5210
http://howardlewisship.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org

Re: HMAC in 5.3.6

[Massimo Lusetti <ml...@gmail.com>]

On Sat, Oct 6, 2012 at 3:01 AM, Howard Lewis Ship <hl...@gmail.com> wrote:

>> Although I'm with Massimo on the random HMAC pass phrase, I don't
>> think the question should hold up a release. Having *some* HMAC
>> solution in place soon is important.
>
> I think having a random key is going to give people a false sense of
> security ("look, I don't even need to configure anything") and then
> big headaches ("why do some of my forms blow up with this HMAC
> thing?").

I don't want to transform this in a "bikeshed color" discussion but
having a random key or something along that way is far more secure
then the current default.

> The current solution runs, but emits the error that things could be more secure.

To my eyes this is a "false sense of security"

> I'm really thinking about using the AlertManager to force this into
> the developer's face.

I'd vote for that.

Cheers
-- 
Massimo
http://meridio.blogspot.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org