[WEB SECURITY] standards for session tokens

Brian Eaton eaton.lists at gmail.com
Mon Dec 4 15:16:02 EST 2006


On 12/1/06, Randall Hansen <randall at raan.net> wrote:
> I think that's a nice idea, but the bottom line is that storing
> encrypted credentials on the client requires trusting that client.
> That's the root of many security problems, and is IMHO intractable.

It requires trusting your cryptography more than it requires trusting
the client.  No comment on whether that still makes the problem
intractable.  =)

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list