Comments (4)
From a skim of the 16 commits, here are the ones that jump out as potentially version-bumping changes:
ca8b345 pins to CBC, meaning that implementations of 1fa950a's 0x80 don't guarantee CBC.
58d2827 appears to change from nanoseconds to seconds—the commit message ("new format") and diff (wait—"gAAAAA" is new?!
3bbe466 "document checking version byte"—so it is new
c55d0d4 diff suggests that base64url was indicated in at least some specific locations in the original 0x80—was it so indicated everywhere?
0514d7d clear algorithm change
was it so indicated everywhere?
0250c59 Answer: no.
from spec.
Is the version unambiguous?
The answer appears to be "yes."
In which case, the action item here is to ... what? Clean up Fernet's versioning somehow. By applying new version numbers to the version-bumping commits above? By dropping back to Git SHA for version? By adopting semantic versioning?
from spec.
To be explicit: this issues makes auditing somewhat more difficult.
from spec.
Clean up Fernet's versioning somehow.
By tagging 0250c59 as 0x80 and adopting a versioning policy for future changes?
from spec.
Related Issues (20)
- check version byte during verification HOT 3
- Possible race condition due to lack of precision in creation timestamp HOT 1
- Why Fernet? HOT 4
- Enhancement: ability to use AES192/256 encryption w/appropriate version-byte flag HOT 6
- please add python-fernet
- Fernet Java implementation.
- Is this project still maintained? HOT 8
- Feedback on Java 8 Implementation HOT 1
- IV specification
- Generating with input of multipler of 32 bytes causing .verify to fail with padding error.. HOT 6
- Verifying TTL is ambiguous regarding nanosecond handling
- PHP Implementation Housing
- Request to replace AES128 with AES256 and SHA256 with SHA384 or SHA512 in fernet. HOT 2
- README does not mention lack of anti-replay HOT 3
- Spec should state that b64 encoding uses the urlsafe variant HOT 1
- Provide timestamps for vectors in unix time
- Document the need for a clock skew check HOT 1
- Reason for variable time verification? HOT 1
- Signing-key length is not too small? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spec.