[OAUTH-WG] OAuth 2.0 Device Flow LC Comment (and OpenID Connect)

"Hollenbeck, Scott" <shollenbeck@verisign.com> Mon, 27 November 2017 14:32 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 065B5124D37 for <oauth@ietfa.amsl.com>; Mon, 27 Nov 2017 06:32:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GuERk0IlzzYf for <oauth@ietfa.amsl.com>; Mon, 27 Nov 2017 06:32:31 -0800 (PST)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFFA71242EA for <oauth@ietf.org>; Mon, 27 Nov 2017 06:32:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=530; q=dns/txt; s=VRSN; t=1511793150; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=ez4trYlIHRlAo4q0bEMehgzkwJYTzjx67/I7PsXwIUQ=; b=B+WFcMjfPeBbwbG92EDRbyM7J7+fvRJ9TBglWOiSkyI0T6yrJuLKNzQk B8zpp3Qwhri3TvKZdyl0/CuHm/RJWQZibj0YrY0e2qlQeo/g4AD2PzFlB fCWRYvQuDhNjzANSgYplZCpuISgUy9c6Cs/GfvUucWb+J3cIRuXfjQ5SJ Suo6nqVDLNz/ybbry1ZrJsf7w9a26DJy75e7zFT6a5xLvcYEvoGp3EFbq 3wjupBthJ1GdQED97v3vpJS7rTNUw8Xfv2ToNalvLewEzysWD9yzJEOkm KqBirEJRkKlthxOxIZ03HtVy9GNbtHwnvJ1Sz4gVNou/0EfT3U7fFvhlS w==;
X-IronPort-AV: E=Sophos;i="5.44,465,1505779200"; d="scan'208";a="3246392"
IronPort-PHdr: =?us-ascii?q?9a23=3A9ZUn3BznIHshJJHXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?2+oSIJqq85mqBkHD//Il1AaPBtSLraocw8Pt8InYEVQa5piAtH1QOLdtbDQizf?= =?us-ascii?q?ssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1?= =?us-ascii?q?JuPoEYLOksi7ze6/9pnQbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeu?= =?us-ascii?q?BWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbO?= =?us-ascii?q?SxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDwULs6Wymt771zRRHoli?= =?us-ascii?q?kJKiI5/m/UhMxxkK1Vrx2uqgdjw47NZIyZKOZycr/Dcd4cWGFPXtxRVytEAo6k?= =?us-ascii?q?YYcBDe0BPeJcr4bjoVsBtgWxChWvBO/31zRGm2P53aom0+Q9Hw3NwQstH8kOsH?= =?us-ascii?q?TTqNX1MLkdUeauw6bW0TrDbOhb2Snj54jScxAhuvCMXb12ccbL1UYvEAbFg0yW?= =?us-ascii?q?pIf4PD2VzvwAv3WH4+Z6SO6iiWAqpxtsrjWvyMogkJfFi40ax1zc6Cl13Jw5Kc?= =?us-ascii?q?C6RUJne9KoDZRduiKAO4drQc4vRXxjtjwgxb0co5G7eTAHyJEgxxHCdfOKa5OI?= =?us-ascii?q?4hf/VOaJJjd4mW5ldKq/hxms9UigzfXxWdKu0FZMsyZFltbNtnUX2BzS7siHTe?= =?us-ascii?q?Z9/lu91TqSzQzT9P9LIVo1larAKp4hzbgwmoAPvkTEGy/6gET2jKmIeUU44uWk?= =?us-ascii?q?9vjrbq/7qpKeOYJ4kBzyP6Qgl8ClH+g1PQcDU3Ce+eum1b3j+UP5QK9Njv0ziq?= =?us-ascii?q?TZq5DaJcMfpq69HQBV1J0s5AijADely9kYg2cILEhEeBKcjojpNFfOLOrkAve4?= =?us-ascii?q?hlSgiC1ryOzePr39HpXNKWDOkLD7crZg905cyBE+zdFB6JJIBLENOvXzWlX+tI?= =?us-ascii?q?+QMhhseUOzyvv7CP18258QH2WVDeDTePfVuEKU5souLvWCIogPt2CuBeIi4quk?= =?us-ascii?q?rXg9nVIbd6Si3t9fU3u/AugsaxGCYX3ohtoHG2oBvSIgQfbrk1yNV3hYYHPkDP?= =?us-ascii?q?F03S0yFI/zVdSLfYuqmrHUhCo=3D?=
X-IPAS-Result: =?us-ascii?q?A2FsAQCUIRxa//SZrQpcHAEBAQQBAQoBAYU+jhiUTJMzghE?= =?us-ascii?q?KE4UoAoUsGAEBAQEBAQEBAQECgRCCOCKDB1EBFRUUQiYBBBuyV4sGASWDNgSDX?= =?us-ascii?q?Yoxg0SCMgWiQAYClweRUZYNAgQLAhkBgTofggpvgniEVIoKgRQBAQE?=
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02 [10.173.152.206]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id vAREWTm1024237 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <oauth@ietf.org>; Mon, 27 Nov 2017 09:32:29 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0301.000; Mon, 27 Nov 2017 09:32:36 -0500
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "'oauth@ietf.org'" <oauth@ietf.org>
Thread-Topic: OAuth 2.0 Device Flow LC Comment (and OpenID Connect)
Thread-Index: AdNni6Noft1hu4gOT0W0OhL3sI0c9A==
Date: Mon, 27 Nov 2017 14:32:35 +0000
Message-ID: <831693C2CDA2E849A7D7A712B24E257F7F8F16EA@BRN1WNEXMBX01.vcorp.ad.vrsn.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JUs_-Fpy7vNgf6LDY6mwGKMbn8I>
Subject: [OAUTH-WG] OAuth 2.0 Device Flow LC Comment (and OpenID Connect)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Nov 2017 14:32:32 -0000

I have reviewed draft-ietf-oauth-device-flow-07. Just one comment regarding Section 5.1:

Would it be possible to suggest some minimally acceptable entropy value? The text says "The user code SHOULD have enough entropy that when combined with rate limiting makes a brute-force attack infeasible", but just how much entropy is enough?

A related question: the last call made me wonder if there are any plans to add a device flow for OpenID Connect. Does anyone know if such a thing is in the works?

Scott