Re: [OAUTH-WG] Defining a maximum token length?
Brian Eaton <beaton@google.com> Wed, 10 March 2010 07:35 UTC
Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6F3523A692D for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 23:35:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vkmd0C1rKQkf for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 23:35:20 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id 0A4943A67DD for <oauth@ietf.org>; Tue, 9 Mar 2010 23:35:19 -0800 (PST)
Received: from spaceape7.eur.corp.google.com (spaceape7.eur.corp.google.com [172.28.16.141]) by smtp-out.google.com with ESMTP id o2A7ZN6w002260 for <oauth@ietf.org>; Wed, 10 Mar 2010 07:35:23 GMT
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1268206523; bh=TNeQNX5hZDeaGOrOTxVs5eAp8HM=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=X9CZx2LJFNzrhGCaxrxHMXJVdHr3RnenNQSfertcML1BmDpDcKadC5mJvQKsOMk1v pNF59vYQAUx9r/HBfF8iQ==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=vHDoijOi0AoLupvk1Pa1BIFigDMxeT5L2TE5x9CIUQ4JEcdQdKqa9CmWyKAxypi1b gxQcdK3/ZIe+G3VFDtg0Q==
Received: from qyk33 (qyk33.prod.google.com [10.241.83.161]) by spaceape7.eur.corp.google.com with ESMTP id o2A7ZLQe010680 for <oauth@ietf.org>; Tue, 9 Mar 2010 23:35:22 -0800
Received: by qyk33 with SMTP id 33so336022qyk.17 for <oauth@ietf.org>; Tue, 09 Mar 2010 23:35:21 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.124.149 with SMTP id u21mr81792vcr.208.1268206520960; Tue, 09 Mar 2010 23:35:20 -0800 (PST)
In-Reply-To: <D3BC6FD4-0530-4677-91C8-8B060C5DCEE3@facebook.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <74caaad21003091623i8b7c343jc3bb806fe327492d@mail.gmail.com> <12ED1FAC-B9C6-47C1-AC01-AB33D110EF8C@gmail.com> <68f4a0e81003091824n5453cf4cp151f313de5fd9c5e@mail.gmail.com> <fd6741651003091916o4c3b3a3ao4dc7871ddf7df23b@mail.gmail.com> <C39B5264-75E2-456A-ABB7-D1530660BA99@alkaline-solutions.com> <D3BC6FD4-0530-4677-91C8-8B060C5DCEE3@facebook.com>
Date: Tue, 09 Mar 2010 23:35:20 -0800
Message-ID: <daf5b9571003092335r5443fb27taf7e9f774b7c4ad1@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Luke Shepard <lshepard@facebook.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 07:35:21 -0000
On Tue, Mar 9, 2010 at 11:02 PM, Luke Shepard <lshepard@facebook.com> wrote: > I'd still like to see someone construct an example access token that is > longer than 255 characters that would be reasonably used. If there > are real, legitimate use cases that REQUIRE more than that many > characters, then let's hear them. I don't think that appealing to > "it might be useful" is a good enough argument. Cached group memberships and other user attributes are what typically blow out the cookie size in enterprise environments. If you browse around the web for a bit you'll see various sites that set very large cookies after users log in. They are caching state in the cookie. It's all fair game for API tokens as well. Cheers, Brian
- [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Chuck Mortimore
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Ethan Jewett
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? David Waite
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Justin Smith
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Moritz Maisel
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? jbemmel
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Naitik Shah
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Eliot Lear
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard