IETF Logo Mail Archive

Re: [OAUTH-WG] Question lengths in draft-sakimura-oauth-tcse-03

Brian Campbell <bcampbell@pingidentity.com> Mon, 12 May 2014 21:51 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAB3F1A076F for <oauth@ietfa.amsl.com>; Mon, 12 May 2014 14:51:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mn3uLt5yjJ18 for <oauth@ietfa.amsl.com>; Mon, 12 May 2014 14:50:59 -0700 (PDT)
Received: from na6sys009bog026.obsmtp.com (na6sys009bog026.obsmtp.com [74.125.150.92]) by ietfa.amsl.com (Postfix) with ESMTP id B60091A035C for <oauth@ietf.org>; Mon, 12 May 2014 14:50:58 -0700 (PDT)
Received: from mail-ig0-f178.google.com ([209.85.213.178]) (using TLSv1) by na6sys009bob026.postini.com ([74.125.148.12]) with SMTP ID DSNKU3FCPLJDcofeBeSESSihVnefsvIHZslX@postini.com; Mon, 12 May 2014 14:50:53 PDT
Received: by mail-ig0-f178.google.com with SMTP id hl10so4442136igb.5 for <oauth@ietf.org>; Mon, 12 May 2014 14:50:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=H7JppnSIQRRNHf6WTEAmhXZ7x2SCN/MnaHJP7dePNRc=; b=XPh0aWtBb5s7p2RhBKQD3gT5UAiQSjO8E6AdLOvhQuz2THrujYU07vvCcKeuVx1hwm S6Dnt7Og1nQlDn/I+Omv4Uk9SCw9iXV5Vp1w/9r3Bto4CUBUWeNftm9bLVqKp9G+2jOS nZVIqtKJoPR0FPP/L2vgDlAZMYreKsvRt1WCKEA9I5IEr45dF6Yl660Q4++1hIKAm8UR VbWLC9sRRnsd4MSjgpH2AQ36KIxxZJc/LRG9QkdVO4RiUevl/6oJ8hKiEaR6tU0J9BZY jfBA86DfJ8u/GisuR8Sx+bv2QY0pxS+t72nN3i6WS95yMqOlivDVPtAKeDbnLGelcmCY A8Bg==
X-Gm-Message-State: ALoCoQn6zx6lYHLUU7RjKMzugOpWn5kpRXHEz1d3RYg0Isu0mX12E/jJjyznUklb0INm10VziLuFkeRyGCR4CfovCoYbH38AGdeLqYviUIcKe4EcoQqXu8ISox4c4T0QNkUvp0ZTG52d
X-Received: by 10.50.79.226 with SMTP id m2mr49021088igx.11.1399931452055; Mon, 12 May 2014 14:50:52 -0700 (PDT)
X-Received: by 10.50.79.226 with SMTP id m2mr49021078igx.11.1399931451932; Mon, 12 May 2014 14:50:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.240.201 with HTTP; Mon, 12 May 2014 14:50:20 -0700 (PDT)
In-Reply-To: <sjm4n0uk8be.fsf@mocana.ihtfp.org>
References: <CA+k3eCTZOheb0HCetS88EXcP-8LJQrYPRuwVcd4NWaWxUAVO1g@mail.gmail.com> <sjm4n0uk8be.fsf@mocana.ihtfp.org>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 12 May 2014 15:50:20 -0600
Message-ID: <CA+k3eCR56F1i=HHzFGivhG6p1vb4u7GZiBzB6gXdQJd5hurhvQ@mail.gmail.com>
To: Derek Atkins <warlord@mit.edu>
Content-Type: multipart/alternative; boundary="089e01160752e718df04f93af01d"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/4FPJbh8-6cjI9mAfyi8lea0_9JY
Cc: John Bradley <jbradley@pingidentity.com>, oauth <oauth@ietf.org>, Naveen Agarwal <naa@google.com>
Subject: Re: [OAUTH-WG] Question lengths in draft-sakimura-oauth-tcse-03
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 May 2014 21:51:01 -0000

Yeah, it does depend on what it really is and why the length needs to be
restricted. That's what the other questions were really about.

Octets would be better than bytes, if that's what's intended.


On Mon, May 12, 2014 at 3:15 PM, Derek Atkins <warlord@mit.edu> wrote:

> Brian Campbell <bcampbell@pingidentity.com> writes:
>
> > I notice that code_verifier is defined as "high entropy cryptographic
> random
> > string of length less than 128 bytes"  [1], which brought a few
> questions and
> > comments to mind. So here goes:
> >
> > Talking about the length of a string in terms of bytes is always
> potentially
> > confusing. Maybe characters would be an easier unit for people like me
> to wrap
> > their little brains around?
>
> It depends if it really is characters or bytes.  For example there are
> many multi-byte UTF-8 characters, so if it really is bytes then saying
> characters is wrong because it could overflow.  So let's make sure we
> know what we're talking about.  Historically, if we're talking bytes the
> IETF often uses the phrase "octets".  Would that be less confusing?
>
> > Why are we putting a length restriction on the code_verifier anyway? It
> seems
> > like it'd be more appropriate to restrict the length of the
> code_challenge
> > because that's the thing the AS will have to maintain somehow (store in
> a DB
> > or memory or encrypt into the code). Am I missing something here?
> >
> > Let me also say that I hadn't looked at this document since its early
> days in
> > draft -00 or -01 last summer but I like the changes and how it's been
> kept
> > pretty simple for the common use-case while still allowing for crypto
> agility/
> > extension. Nice work!
> >
> > [1] http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03#section-3.3
>
> -derek
>
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available
>



-- 
   [image: Ping Identity logo] <https://www.pingidentity.com/>
Brian Campbell
Portfolio Architect
  @ bcampbell@pingidentity.com  [image: phone] +1 720.317.2061  Connect
with us…  [image: twitter logo] <https://twitter.com/pingidentity> [image:
youtube logo] <https://www.youtube.com/user/PingIdentityTV> [image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: Facebook
logo] <https://www.facebook.com/pingidentitypage> [image: Google+
logo]<https://plus.google.com/u/0/114266977739397708540> [image:
slideshare logo] <http://www.slideshare.net/PingIdentity> [image: flipboard
logo] <http://flip.it/vjBF7> [image: rss feed
icon]<https://www.pingidentity.com/blogs/>
   [image: Register for Cloud Identity Summit 2014 | Modern Identity
Revolution | 19–23 July, 2014 | Monterey,
CA]<https://www.cloudidentitysummit.com/>

v2.23.0 | Report a Bug | By Email