|
| ▲ | andai 3 hours ago | parent | next [-] |
| I read an article about business which had this classification, "Would be weird if it worked", "Might work", and "Would be weird if it didn't work" and argued that you want to be in the last category. In engineering we aspire to a slightly stronger standard: "I made it physically impossible to fuck this up." |
|
| ▲ | tptacek 4 hours ago | parent | prev [-] |
| You've completely missed my point. I don't even accept the premise of the JWT standard. But the eventual migration to safer default settings, in a format that continues to expend implementation effort to support settings nobody should use, is in fact a practical engineering problem with the standard. |
| |
| ▲ | ForHackernews 4 hours ago | parent [-] | | And they've published updates[0] and libraries have hardened their defaults and removed support for insecure values (e.g. alg='none'). I'm not sure what more you want? I'd rather use a refined, battle-tested standard with lots of eyes on it than some new untested contender produced by a handful of upstarts ("look, we just designed it right from the beginning! This time it's perfect!") PASETO reeks of second-system syndrome. [0] https://www.rfc-editor.org/info/rfc8725/ | | |
| ▲ | tptacek 3 hours ago | parent [-] | | I don't recommend PASETO either. | | |
| ▲ | doc_ick 2 hours ago | parent [-] | | What do you recommend then? What technology has been designed, completed, then used for years without any updates or problems? | | |
|
|
|
