Constructing "capability" URLs
Ng Pheng Siong
ngps at netmemetic.com
Wed Sep 4 01:53:49 EDT 2002
(Pardon the crossposting.)
Hi,
I'm building a web app which, rather typically of web apps, constructs
URLs on the fly.
A URL concocted by my app looks like this:
https://whatever/object?action=something&expiry=timeval&cap=XXYYZZ
The "cap" at the end is supposed to be a capability. ;-)
One of my major objectives in this particular development effort is to
make it easy to automate the blackbox testing of my app. I imagine
URLs such as the above make it so: I can have code that invokes the
above URL without regard to the rest of the system.
(Does this make my app buzzword-compliant with REST, too? ;-)
I'm creating the capability thusly:
cap = hmac-sha1(key, "/object?action=something&expiry=timeval")
My questions:
1. Is the construction of the "cap" string ok? Should I stir other
info in? (The expiry timeval provides the temporal information.)
2. The key is created from /dev/random. How long should it be? In my
threat model, the key changes every few hours.
3. Any other thoughts?
TIA. Cheers.
--
Ng Pheng Siong <ngps at netmemetic.com> * http://www.netmemetic.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list