meteficha
commented
9 years ago Skein was chosen for its speed since clientsession is on a critical path, but the benchmark was done a long time ago. Maybe something changed.
I'd be against making it pluggable. The reason is that security-related code should have as few knobs as possible, it's too easy to shoot oneself in the foot.
I need a Haskell and Clojure application to be able to encrypt & decrypt each others' sessions.
Haskell uses Skein, but there isn't a well established or verified implementation of Skein for Java.
HMAC SHA256 is well established for both though.
I'm currently looking at having to reimplement the entire session encryption/decryption suite as well as Yesod integration thereof because I can't swap out the auth for
clientsession. Is making the auth algo pluggable something you'd be open to?