GUIDs

[Robert Olson]

I was making some implicit assumptions and skipping a step.

The full thought is that there are two requirements that need to be met in 
different parts of the system: unique identifiers and random tokens.

GUIDs solve the unique identifier problem. However, the GUIDs as defined by 
the GUID.py code might not be unique. IP addresses are not unique (think 
machines behind NAT bridges using private IP address space). MS-style GUIDs 
use the hardware address of the computer's network card to ensure 
uniqueness. See 
http://www1.ics.uci.edu/~ejw/authoring/uuid-guid/draft-leach-uuids-guids-01.txt 
for a spec for them.

Random tokens, like the private ID, need to be created from 
cryptographically strong random allocators. Otherwise, attacks can be based 
on guessing the identifier based on knowledge of the system in use, the 
APIs, etc. (cf. successful attacks on I think Netscape servers due to 
insufficiently random tokens).

--bob

At 08:39 AM 12/17/2002 -0600, Ivan R. Judson wrote:

>Interesting, I was going to get rid of the requirement for the crypto stuff
>and just use the built-in python random number generator stuff.  What
>disqualifies the built-in random number generator? The two applications I
>can think of: unique Id's and the address allocator don't seem to require
>cryptographically strong randomness, am I missing something?
>
>--Ivan
>
>PS -- besides if you read over the snippet below it makes your eyes cross.
>Those two definitions of random are either the same or not, but it's not
>clear from the mail :-)
>
> >  > A globally-unique identifier made up of time and ip and 3
> > random digits:
> >
> > This might be unique, but it's definitely not random. There