Re: [OAUTH-WG] draft-ietf-oauth-spop-10

Naveen Agarwal <naa@google.com> Tue, 10 March 2015 18:33 UTC

Return-Path: <naa@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8677D1A007D for <oauth@ietfa.amsl.com>; Tue, 10 Mar 2015 11:33:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r-NZ5GfamfDc for <oauth@ietfa.amsl.com>; Tue, 10 Mar 2015 11:33:57 -0700 (PDT)
Received: from mail-qg0-x22a.google.com (mail-qg0-x22a.google.com [IPv6:2607:f8b0:400d:c04::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A2291A87B1 for <oauth@ietf.org>; Tue, 10 Mar 2015 11:33:57 -0700 (PDT)
Received: by qgef51 with SMTP id f51so4248689qge.0 for <oauth@ietf.org>; Tue, 10 Mar 2015 11:33:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=oYsH6WWaMo3hTIUO++ELM6MjM6mdsaRMRsWJYXP4s0Q=; b=ViH7pcpKTyytQab4+GnqsuGA1Vcrf4UhjaOkPLv1OyWxnO5OHo7zhAMB+P1I+p6d6W 6vF3QGNIopT7UgEpr7l4qW9N22nRn8JlKPCBBoRcc2pSwBXMqL48XHfZajTNXVlNixWF Z1vLVqRdgPvWmwdDc27H+f1eTmFcMK7scfOEv2SPimZ+dM+YTXuWU5MEdfPF/tMMCp7z szkh8SJq6yNH3rKFAAJNiOYEHnQTaOOqgPYLCKy+C0+HJ/vxp1kWpbiM8aMbf/fG1zAE 2YLvSc5WgnuU7zt7ExJ3XlPy3JsQr7Pd4wPFfBhLUlH9WjVSluuIhASNBFvr9bik73so 6k5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=oYsH6WWaMo3hTIUO++ELM6MjM6mdsaRMRsWJYXP4s0Q=; b=Tb+3bV4HhF2yY9aQxy7WsN1ZO/m4D55NqlfPDBO/iodzeW+/6y2fi7IN97/fjV1Q5c mPc/A3wedIMgC/lb0GQ0TFMBFJjFFlIRSihSkhkTqVmbvuHWiVR2l/P6ARzo7Uup7W1I +ltVi+Ryn9btEn1ZbIMSzEhpcS4cCN2D0pKKqdI5TwM5+cjTk8fn64CtB2dYSCV/wRi/ N1LjFOOrKfVSrbjrIbh0az/xiREJk1EP6G5yoqz/G5YAch0173nhky2i8ukL2hwVEDFl +yfyS3gwjYCsyCtPnKCH5Ge8J+KVGtcDLPHNWnxwbEu5r0RuwYL4xOXMXrhq2rMsUig6 wsTA==
X-Gm-Message-State: ALoCoQkj4uagmswNNFUxNX0J4t/sZKQO+8jDs44G6u8LCNaB81GRwLI95TDT8L8r+kSfORchYkAR
X-Received: by 10.141.28.78 with SMTP id f75mr44946155qhe.18.1426012436185; Tue, 10 Mar 2015 11:33:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.30.3 with HTTP; Tue, 10 Mar 2015 11:33:36 -0700 (PDT)
In-Reply-To: <54E372C1.8040204@gmx.net>
References: <54E372C1.8040204@gmx.net>
From: Naveen Agarwal <naa@google.com>
Date: Tue, 10 Mar 2015 11:33:36 -0700
Message-ID: <CAOKiTbtVq5oXRHFBR=wBwOptmVwie6reKqZZi-GHOmf_hcZ_fg@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary=001a11423d98b470a20510f36405
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/OvDQ1BZ3A08oUoZQdt-WftfQfvY>
X-Mailman-Approved-At: Wed, 11 Mar 2015 07:48:18 -0700
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-spop-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 18:33:58 -0000

> I definitely need the IPR confirmation.



I'm not aware of any IPR related tho this draft.


On Tue, Feb 17, 2015 at 8:56 AM, Hannes Tschofenig <
hannes.tschofenig@gmx.net> wrote:

> Hi Nat, John, Naveen,
>
> thanks a lot for your work on the document.
>
> I still need responses to this mail to complete the shepherd writeup:
> http://www.ietf.org/mail-archive/web/oauth/current/msg14100.html
>
> I definitely need the IPR confirmation.
>
> It would also be helpful to have someone who implemented the
> specification as it currently is. I asked Brian and Thorsten for
> clarification regarding their statements that they implemented earlier
> versions of the spec.
>
> As a final remark I still believe that the text regarding the randomness
> is still a bit inconsistent. Here are two examples:
>
> 1) In the Security Consideration you write that "The security model
> relies on the fact that the code verifier is not learned or guessed by
> the attacker.  It is vitally important to adhere to this principle. "
>
> 2) In Section 4.1 you, however, write: "NOTE: code verifier SHOULD have
> enough entropy to make it impractical to guess the value.  It is
> RECOMMENDED that the output of a suitable random number generator be
> used to create a 32-octet sequence."
>
> There is clearly a long way from a SHOULD have enough entropy to the
> text in the security consideration section where you ask for 32 bytes
> entropy.
>
> It is also not clear why you ask for 32 bytes of entropy in particular.
>
> Ciao
> Hannes
>
>