Re: [OAUTH-WG] draft-ietf-oauth-spop-10

Hannes Tschofenig <> Wed, 18 February 2015 08:49 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3E5001A9115 for <>; Wed, 18 Feb 2015 00:49:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4hXQZZpt9e13 for <>; Wed, 18 Feb 2015 00:49:35 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3872F1A8753 for <>; Wed, 18 Feb 2015 00:49:35 -0800 (PST)
Received: from [] ([]) by (mrgmx102) with ESMTPSA (Nemesis) id 0MI8iw-1YPfHS2Wq6-003rF4; Wed, 18 Feb 2015 09:49:29 +0100
Message-ID: <>
Date: Wed, 18 Feb 2015 09:47:40 +0100
From: Hannes Tschofenig <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: John Bradley <>
References: <> <>
In-Reply-To: <>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="vkHQ1nhwDlE2f3lWK9Fb0cdAamKsXDhxX"
X-Provags-ID: V03:K0:KVuiU/fklITbYQqjEsjxDUyKe/8SKQDIqCqq7zGWFV/ZcH8CCYp okQUPFYqHM0WUTNklMccMkEaCrkSxzzYX/9RQ0pP0RSpaF53NaF0ZC2C39O4UI/Ss9KCi75 jShb7WBdFhUWoS+UP6QGZJB3t88GO7dwGh0lHFytJGFOj/7wOJzHUb7QSQCTufNFeUqculs uDB7ko5vaeNHbzfWUnCAw==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <>
Cc: "" <>, Naveen Agarwal <>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-spop-10
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 18 Feb 2015 08:49:37 -0000

Hi John,

I am fine with the plain vs. SHA256 concept and I understand the
reasoning behind the two. Having the same for both types is also OK for me.

My question about the 32 bytes entropy was based on curiosity. SHA256 is
a function that takes an arbitrary length input and produces an output
with 256 bits. The 256bit output length does not mean that you have put
give it 256bits randomness as input.

If the group thinks that this is a reasonable value (and not too big)
then I am fine with it as well.


On 02/18/2015 05:42 AM, John Bradley wrote:
> We have discussed on the list making allowing the entropy for plain to be smaller.
> 32bytes was selected as a good value for S256.  
> The reason for S256 vs plain is that you are assuming an attacker is going to intercept the request, and thus you want to have enough entropy to prevent offline brute force.
> For plain you are assuming that the attacker can't intercept the request, and if they do more entropy won't help you.
> In the plain case you are only protecting against a on line guess for a single use token.   That could safely be much lower entropy as it is not protecting against off-line brute force.
> 128bits would be more than enough in that case.   I left it as 256bits for both to not introduce more options and not confuse people about why plain needs less entropy than S256.
> What is the WG feeling should we recommend different minimum values for each of the transforms?
> John B.
>> On Feb 17, 2015, at 8:56 AM, Hannes Tschofenig <> wrote:
>> Hi Nat, John, Naveen,
>> thanks a lot for your work on the document.
>> I still need responses to this mail to complete the shepherd writeup:
>> I definitely need the IPR confirmation.
>> It would also be helpful to have someone who implemented the
>> specification as it currently is. I asked Brian and Thorsten for
>> clarification regarding their statements that they implemented earlier
>> versions of the spec.
>> As a final remark I still believe that the text regarding the randomness
>> is still a bit inconsistent. Here are two examples:
>> 1) In the Security Consideration you write that "The security model
>> relies on the fact that the code verifier is not learned or guessed by
>> the attacker.  It is vitally important to adhere to this principle. "
>> 2) In Section 4.1 you, however, write: "NOTE: code verifier SHOULD have
>> enough entropy to make it impractical to guess the value.  It is
>> RECOMMENDED that the output of a suitable random number generator be
>> used to create a 32-octet sequence."
>> There is clearly a long way from a SHOULD have enough entropy to the
>> text in the security consideration section where you ask for 32 bytes
>> entropy.
>> It is also not clear why you ask for 32 bytes of entropy in particular.
>> Ciao
>> Hannes