[robbles]

The tone is entertaining, but some of the snarkiness around the code is bit frustrating at times. e.g.

> # do i really need to say I'm not serious about this?

Can you just come out and say what you mean here? Like, presumably it's bad, insecure code, but can't you just spell it out for the benefit of your audience?

I'm probably being really picky here - just find this kind of developer in-crowd signalling to be really irritating and counterproductive.

[tptacek]

The Python code here is essentially just pseudocode. In reality, if you build a Python Macaroon implementation, you'd pull in pyca/cryptography and use an actual AEAD, rather than rolling your own authenticated cipher out of pure HMAC. But the point is that this isn't real code, just enough to make the concepts concrete.

[robbles]

That's a great explanation, and pretty much exactly what I'd love to see instead of the original slightly mysterious comment :)

[mixmastamyk]

Yes, you articulated what I think often when I read a tpt post. Enjoy the casual writing but feel like I’m frequently left out of the joke.

I understand all these concepts in general but looking at a block of code… I’m supposed to 1) know if it’s serious/not and 2) he’s being sarcastic about it not.

I even know Python well but the whole post is so “inside baseball” am not sure what to think. Guessing the bulk of the audience is not grizzled security engineers.

(I’d recommend another summary/details tag to put the grandparent explanation directly into the fly post.)

[tptacek]

Which parts seemed "inside baseball" to you?

[mixmastamyk]

hmac and attenuation for starters.

I read your related piece a few years ago but apparently didn’t retain much, due to not using it every day. Knowledge went out to backup tape.

So, come to yesterday’s piece. I remember the abbev. HMAC but have to look it up. Didn’t get the use case. No idea what attenuation meant in this context… thought of sound and plowed ahead. Gave up by the middle of the piece, lost.

But, then saw the link to the old piece, and read it top to bottom. Ok, now I get it! Reread and got the second piece. Understand finally but still not entirely clear why you were dissing your work.

Read another related piece on why json and xml are discredited for this kind of work.

Often upfront in a piece the author will say read this first, define some jargon, and “why’s”. (The why is often what I care about most.) These go well with the details/summary tags. Well, looks like you used a button for that but same idea.

Experienced dev here but haven’t just spent two years building an iam system. Slightly more acknowledgment of that upfront would work wonders.

[tptacek]

OK! That's helpful.

The only unserious code in this post, for what it's worth, is a couple functions that make an authenticated stream cipher out of HMAC, because the Python standard library doesn't have an encryption function that I could find.

[byproxy]

I can always appreciate that these types of stripped-down examples are merely for illustrative, conceptual purposes...but the ignoramus in me would also appreciate links to fleshed-out examples that take into account the shortcomings of the simpler example.

[tptacek]

Our actual Macaroon code is linked at the bottom of the article.

[cide1]

I studied that code and the comment for a good 10 minutes. As far as I can tell it just obfuscates, and is not actually implementing authenticated encryption. It would help to just come out and say that part out loud.

[tptacek]

True fact: Salsa20 is itself a hash function, keyed, and running in a counter mode.

[oneepic]

>I'm probably being really picky here - just find this kind of developer in-crowd signalling to be really irritating and counterproductive.

Why is it "developer in-crowd signalling" rather than just a joke? IOW I read this as saying the jokes were "as bad as" virtue-signalling.

[robbles]

It's a statement that won't make sense to someone who's new to the topic.

I don't think it's related to virtue signalling at all, the two just share the word "signalling".