1. 8
  1.  

  2. 3

    I’m curious why Base62 and not simply Base64UrlSafe, which has a constant time implementation in libsodium.

    1. 1

      Base64UrlSafe

      Hm, constant time, what do you mean by that? Also have tried to find the code (regarding b64) but no luck :(

      1. 1

        See for example https://blog.ircmaxell.com/2014/11/its-all-about-time.html

        It is mostly important for decoding key material if stored encoded, so technically it may not be necessary here to have the encoder/decoders be constant time, but well, better safe than sorry when dealing with security sensitive code.

    2. 3

      How does this compare to Paseto? Branca seems just more limited and opinionated.

      1. 2

        I think this is meant to be more like itsdangerous than Paseto; similar to Paseto, it is meant to be algorithmically simple (XChaCha20-Poly1305 for authenticated encryption authenticated data, whereas Paseto supports XChaCha20-Poly1305 + Blake (for nonce misuse resistance) and Edwards-curves via Ed25519), but unlike Paseto, it doesn’t have a tie in to a JSON-like structure.

      2. 2

        From reading its specification, I don’t see a way to rotate the secret key seamlessly by encrypting tokens using a new key, whilst decrypting tokens with both an old and new key for a short time. The lack of this might inconvenience end users in some situations.

        1. 2

          a “key id” would be easier… a way to indicate which key needs to be used to decrypt the token, in case simply trying all keys is not acceptable.

        2. 1

          I stumbled across this when an implementation was created for clojure.

          I’m curious to look further into Branca to see to their suitability as a JWT replacement, due to the many well known issues with JWT.

          1. 1

            this is only for symmetric encryption