paragonie / paseto-io Goto Github PK

Being interested in using PASETO as Python developer, I googled and found this implementation in Python:
https://github.com/purificant/python-paseto by @purificant

Its latest commit is a month ago, while the implementation stated at the site (https://github.com/rlittlefield/pypaseto by @rlittlefield) is inactive for over 6 months.

I'm opening this issue to ensure the new implementation worth adding to the site.

In addition, let me ask about the meaning of a green tick in a table of implementations. I'm completely dumb in cryptography and for me the green tick is equal to Ready for use. Howewer, both of python implementations state that it could be risky to use it. So, does the green tick means The author said they support this version of PASETO or any checking is done?

Thanks in advance for a reply!

I tripped over the LetsEncrypt rate limit. As soon as I can, switch to use HTTPS everywhere.

Hi

I was looking at paseto (as jwt alternative) and noticed that the paseto.io website is not accesible.
Google cache gave me timestamp of 24 Sep 2019 21:19:40 GMT.
To this is a new or temporary issue.

Since we now have V3/V4, we should encourage implementations to migrate towards the new versions. This means removing V1/V2 from the table on the front page.

Our target date for this change is January 1, 2022 (2022-01-01).

Trying to retrieve the PDF from the home page:

❯ wget https://paragonie.com/files/talks/NoWayJoseCPV2018.pdf
--2021-02-13 16:41:12--  https://paragonie.com/files/talks/NoWayJoseCPV2018.pdf
Resolving paragonie.com (paragonie.com)... 94.23.2.63
Connecting to paragonie.com (paragonie.com)|94.23.2.63|:443... connected.
HTTP request sent, awaiting response... 502 Bad Gateway
2021-02-13 16:41:13 ERROR 502: Bad Gateway.

In a lot of the reading I've done on PASETOs, it seems that they should be single use only.
For example:
https://developer.okta.com/blog/2019/10/17/a-thorough-introduction-to-paseto

PASETOs are designed as single-use tokens

But is there anything in the specification that actually requires them to be single use? If the same token is passed twice to the decrypt method while the token is valid, are both instances treated as valid?

We're upgrading the OS on pie-hosted right now, and it's causing nginx to report a bad gateway. We're aware of this and it will be fixed before 11 AM.