IETF Logo Mail Archive

Re: [OAUTH-WG] Question lengths in draft-sakimura-oauth-tcse-03

Derek Atkins <warlord@MIT.EDU> Mon, 12 May 2014 21:15 UTC

Return-Path: <derek@ihtfp.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B34A31A0772 for <oauth@ietfa.amsl.com>; Mon, 12 May 2014 14:15:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id REoL_sQVcawQ for <oauth@ietfa.amsl.com>; Mon, 12 May 2014 14:15:29 -0700 (PDT)
Received: from mail2.ihtfp.org (mail2.ihtfp.org [IPv6:2001:4830:143:1::3a11]) by ietfa.amsl.com (Postfix) with ESMTP id 3FE6D1A077A for <oauth@ietf.org>; Mon, 12 May 2014 14:15:29 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id E203BE2034; Mon, 12 May 2014 17:15:22 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 32044-10; Mon, 12 May 2014 17:15:21 -0400 (EDT)
Received: from mocana.ihtfp.org (unknown [IPv6:fe80::224:d7ff:fee7:8924]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id A7D60E2031; Mon, 12 May 2014 17:15:20 -0400 (EDT)
Received: (from warlord@localhost) by mocana.ihtfp.org (8.14.7/8.14.7/Submit) id s4CLFI52026063; Mon, 12 May 2014 17:15:18 -0400
From: Derek Atkins <warlord@MIT.EDU>
To: Brian Campbell <bcampbell@pingidentity.com>
References: <CA+k3eCTZOheb0HCetS88EXcP-8LJQrYPRuwVcd4NWaWxUAVO1g@mail.gmail.com>
Date: Mon, 12 May 2014 17:15:17 -0400
In-Reply-To: <CA+k3eCTZOheb0HCetS88EXcP-8LJQrYPRuwVcd4NWaWxUAVO1g@mail.gmail.com> (Brian Campbell's message of "Fri, 9 May 2014 14:51:01 -0600")
Message-ID: <sjm4n0uk8be.fsf@mocana.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/8hQlUfpxKuo5_t0ezV-pliYCWv0
Cc: John Bradley <jbradley@pingidentity.com>, oauth <oauth@ietf.org>, Naveen Agarwal <naa@google.com>
Subject: Re: [OAUTH-WG] Question lengths in draft-sakimura-oauth-tcse-03
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 May 2014 21:15:31 -0000

Brian Campbell <bcampbell@pingidentity.com> writes:

> I notice that code_verifier is defined as "high entropy cryptographic random
> string of length less than 128 bytes"  [1], which brought a few questions and
> comments to mind. So here goes:
>
> Talking about the length of a string in terms of bytes is always potentially
> confusing. Maybe characters would be an easier unit for people like me to wrap
> their little brains around?

It depends if it really is characters or bytes.  For example there are
many multi-byte UTF-8 characters, so if it really is bytes then saying
characters is wrong because it could overflow.  So let's make sure we
know what we're talking about.  Historically, if we're talking bytes the
IETF often uses the phrase "octets".  Would that be less confusing?

> Why are we putting a length restriction on the code_verifier anyway? It seems
> like it'd be more appropriate to restrict the length of the code_challenge
> because that's the thing the AS will have to maintain somehow (store in a DB
> or memory or encrypt into the code). Am I missing something here?
>
> Let me also say that I hadn't looked at this document since its early days in
> draft -00 or -01 last summer but I like the changes and how it's been kept
> pretty simple for the common use-case while still allowing for crypto agility/
> extension. Nice work!
>
> [1] http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03#section-3.3

-derek

> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

v2.23.0 | Report a Bug | By Email