IETF Logo Mail Archive

Re: [OAUTH-WG] SPOP - code verifier requirements

Nat Sakimura <sakimura@gmail.com> Wed, 15 October 2014 15:32 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C81D1A1AA9 for <oauth@ietfa.amsl.com>; Wed, 15 Oct 2014 08:32:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.452
X-Spam-Level:
X-Spam-Status: No, score=0.452 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_CHARSET_FARAWAY=2.45, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YQ5KUcvuJIyc for <oauth@ietfa.amsl.com>; Wed, 15 Oct 2014 08:32:07 -0700 (PDT)
Received: from mail-pa0-x233.google.com (mail-pa0-x233.google.com [IPv6:2607:f8b0:400e:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0FB51A1A15 for <oauth@ietf.org>; Wed, 15 Oct 2014 08:32:07 -0700 (PDT)
Received: by mail-pa0-f51.google.com with SMTP id lj1so1499777pab.38 for <oauth@ietf.org>; Wed, 15 Oct 2014 08:32:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=zrb8v8xop08+gbyhS/Hy6Uw27iIBxRUe4GvdM+mxvRw=; b=Yp9awcjL+bCBYeWsQu2PXPYf1kQGQoagCD8odG/6XTv3VD24Y+vOqq1BBNU53eS01v P5gy0woog9oWY2NOcN0RR3IbsSRcg/37cV6ZNB/Dgi57NM84AqA6qwBR9IeZsOAC9x9v BXhsc/9B6MahbMt4MdYuqY6xvrJtIaynibfFiHa2Rw4D2dRE1T7w6YCEuXgnuZ7Y/7yr gJqIiF/d7kEoUp82U407Fu9ot4tMFsoTR6ktf0jkN4V1PrSAvva3wB5nfGzPcCaBMMYD K9kyvyFYkV3ADGiDjdDF8UNsbquRtJ49MIdaZyJwKLGdlCrSvZT263gsjkFs2kuIIkZ2 m6kA==
X-Received: by 10.68.102.100 with SMTP id fn4mr13790931pbb.48.1413387127432; Wed, 15 Oct 2014 08:32:07 -0700 (PDT)
Received: from [192.168.0.5] (i223-219-73-251.s42.a013.ap.plala.or.jp. [223.219.73.251]) by mx.google.com with ESMTPSA id g13sm17535025pat.45.2014.10.15.08.32.05 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 15 Oct 2014 08:32:05 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-E8E1A97D-A2B8-4807-8124-0DBF58C0D263"
Mime-Version: 1.0 (1.0)
From: Nat Sakimura <sakimura@gmail.com>
X-Mailer: iPhone Mail (12A402)
In-Reply-To: <CA+wnMn9Fs3FsNKN2FP_2c=NbeFepgjJaK=+QE2U8--uaLNvuZQ@mail.gmail.com>
Date: Thu, 16 Oct 2014 00:32:04 +0900
Content-Transfer-Encoding: 7bit
Message-Id: <A2C25784-D36C-4783-B541-D1ADF621FCDE@gmail.com>
References: <20141014182611.dd6598cc163e9c640d4167fd@nri.co.jp> <CA+wnMn9Fs3FsNKN2FP_2c=NbeFepgjJaK=+QE2U8--uaLNvuZQ@mail.gmail.com>
To: Chuck Mortimore <cmortimore@salesforce.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Nz9OlLMmyZD_GrLvpzTuUUN9Ehw
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] SPOP - code verifier requirements
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2014 15:32:11 -0000

Thanks. 

So, to be clear, are you base64url encoding when sending it over the wire or is your code verifier is created by base64url encoding the binary value so that you do not need to encode it when sending it over? 

=nat via iPhone

Oct 16, 2014 00:27、Chuck Mortimore <cmortimore@salesforce.com> のメッセージ:

> We went with base64url in our implementation
> 
>> On Tue, Oct 14, 2014 at 2:26 AM, Nat Sakimura <n-sakimura@nri.co.jp> wrote:
>> In his mail, Mike asked whether code verifier is
>> a value that is sendable without trnasformation
>> as a http parameter value, or if it needs to be
>> % encoded when it is being sent.
>> 
>> We have several options here:
>> 
>> 1) Require that the code verifier to be a base64url encoded string of a binary random value.
>> 
>> 2) Let code verifier to be a binary string and require it to be
>> either % encoded or base64url encoded when it is sent.
>> In this case, which encoding should we use?
>> 
>> 3) require the code verifier to be conform to the following ABNF:
>> code_verifier = 16*128unreserved
>> unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
>> 
>> Which one do you guys prefer?
>> 
>> Nat
>> 
>> --
>> Nat Sakimura (n-sakimura@nri.co.jp)
>> Nomura Research Institute, Ltd.
>> 
>> PLEASE READ:
>> The information contained in this e-mail is confidential and intended for the named recipient(s) only.
>> If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system.
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email