Open paragonie-security opened 3 years ago
Mythra
commented
3 years ago Thanks for the report! I was already working on this as part of my v3/v4 work since this will require a breaking change. (Unfortunately the only thing with the new specs I've seen so far that will.)
paragonie-security
commented
3 years ago Excellent!
This isn't a vulnerability, necessarily, but we want to make sure misuse resistance is emphasized. :)
Mythra
commented
3 years ago Yep, totally understand, and it's worthwhile to do. I'm all for latching foot guns, just need to find time to do it after moving 😅
See https://github.com/paseto-standard/paseto-spec/blob/master/docs/02-Implementation-Guide/03-Algorithm-Lucidity.md
Right now, byte arrays of length 32 are accepted by this API. There's no mechanism to prevent a user from using a v2 public key as a v2 local key.