1. 8
    1. 3

      I’m curious why Base62 and not simply Base64UrlSafe, which has a constant time implementation in libsodium.

      1. 1


        Hm, constant time, what do you mean by that? Also have tried to find the code (regarding b64) but no luck :(

        1. 1

          See for example https://blog.ircmaxell.com/2014/11/its-all-about-time.html

          It is mostly important for decoding key material if stored encoded, so technically it may not be necessary here to have the encoder/decoders be constant time, but well, better safe than sorry when dealing with security sensitive code.

    2. 3

      How does this compare to Paseto? Branca seems just more limited and opinionated.

      1. 2

        I think this is meant to be more like itsdangerous than Paseto; similar to Paseto, it is meant to be algorithmically simple (XChaCha20-Poly1305 for authenticated encryption authenticated data, whereas Paseto supports XChaCha20-Poly1305 + Blake (for nonce misuse resistance) and Edwards-curves via Ed25519), but unlike Paseto, it doesn’t have a tie in to a JSON-like structure.

    3. 2

      From reading its specification, I don’t see a way to rotate the secret key seamlessly by encrypting tokens using a new key, whilst decrypting tokens with both an old and new key for a short time. The lack of this might inconvenience end users in some situations.

      1. 2

        a “key id” would be easier… a way to indicate which key needs to be used to decrypt the token, in case simply trying all keys is not acceptable.

    4. 1

      I stumbled across this when an implementation was created for clojure.

      I’m curious to look further into Branca to see to their suitability as a JWT replacement, due to the many well known issues with JWT.

      1. 1

        this is only for symmetric encryption