Re: [aerogear-dev] Push server...master secrets, secrets and some refactoring proposal
Chillax and feel free to ask. Master secret must be kept with our
user/developer/client, technically it will only generated a new secret
if we got a new PushApplication.
If the server is restarted the *salt* and *secret key* will be still
there into the database. So basically on the next request we execute the
following function:
keyForComparison = PBKDF2(masterSecret, salt)
Then we check against the database if the key matches with the stored
into the database. Does it make sense to you?
Karel Piwko wrote:
Sorry my ignorance, does it mean that if I restart application server
or
redeploy UPS, master secret will be changed?
For master secret, that's not that big concern, I believe. People just need to
grab master secret from UPS before adding variants from CLI.
But if variant secrets are recomputed as well, all existing application
installations will cease to work!
--
abstractj
Attachments:
- signature.asc (application/pgp-signature — 495 bytes)