LISTSERV 16.5 - XROOTD-DEV Archives

Agreed that storing the full token seems risky. If a vulnerability exposes memory, or core dumps are shared, valid tokens could be exposed.

An option would be storing tokens in a "de-fanged" state. Validate the token, remove the signature, and store the token into creds. Clients reading from creds trust that the signature was valid. (This might be tricky if libraries can't separate signature checks from expiration checks.)

—
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you commented.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1584#issuecomment-1035109137", "url": "https://github.com/xrootd/xrootd/issues/1584#issuecomment-1035109137", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1