Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard
Eran Hammer <eran@hueniverse.com> Thu, 08 March 2012 02:15 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C301121E805E for <oauth@ietfa.amsl.com>; Wed, 7 Mar 2012 18:15:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.535
X-Spam-Level:
X-Spam-Status: No, score=-2.535 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iZtLrgomX+Z5 for <oauth@ietfa.amsl.com>; Wed, 7 Mar 2012 18:15:14 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 52DA521E8053 for <oauth@ietf.org>; Wed, 7 Mar 2012 18:15:14 -0800 (PST)
Received: (qmail 29307 invoked from network); 7 Mar 2012 23:39:53 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 7 Mar 2012 23:39:51 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Wed, 7 Mar 2012 16:18:25 -0700
From: Eran Hammer <eran@hueniverse.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Date: Wed, 07 Mar 2012 16:18:17 -0700
Thread-Topic: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard
Thread-Index: AczlNNN25d70S7GxRlKDI7eb2HdniAXg6QXA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453AFCD4072@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <20120123154643.16223.44509.idtracker@ietfa.amsl.com> <4F1D8391.3080009@gmx.de> <4F1F3D84.1030300@gmx.de> <90C41DD21FB7C64BB94121FBBC2E723453AAB9682E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <7D4DB9C9-7194-42A0-A573-4243FE27E512@ve7jtb.com>
In-Reply-To: <7D4DB9C9-7194-42A0-A573-4243FE27E512@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Julian Reschke <julian.reschke@gmx.de>, "oauth@ietf.org" <oauth@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Mar 2012 02:15:14 -0000
New text: The probability of an attacker guessing generated tokens (and other credentials not intended for handling by end-users) MUST be less than or equal to 2^(-128) and SHOULD be less than or equal to 2^(-160). Removed reference to RFC 1750. EH > -----Original Message----- > From: John Bradley [mailto:ve7jtb@ve7jtb.com] > Sent: Monday, February 06, 2012 5:07 PM > To: Eran Hammer > Cc: Julian Reschke; ietf@ietf.org; The IESG; oauth@ietf.org > Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The > OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard > > RE new text in Draft 23 > > http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-10.10 > > Generated tokens and other credentials not intended for handling by > end-users MUST be constructed from a cryptographically strong random > or pseudo-random number sequence ([RFC1750]) generated by the > authorization server. > > Given that many implementations may elect to use signed tokens, such as > SAML or JWT (JOSE) this should not be a MUST. > > Giving people sensible defaults such as the probability of an attacker > guessing a valid access token for the protected resource should be less than > 2^(-128). > > The probability of generating hash colisions randomly is a odd metric, 2^(- > 128) for a SHA256 as I recall. > Many factors play into what is secure, token lifetime etc. > > I don't mind some reasonable defaults but adding a requirement for > unstructured tokens is a bit much. > > Regards > John B. > >
- [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer… The IESG
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Julian Reschke
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Julian Reschke
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mark Nottingham
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Julian Reschke
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Julian Reschke
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Eran Hammer
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Julian Reschke
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Mike Jones
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Martin Rex
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Bjoern Hoehrmann
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Martin Rex
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Justin Richer
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Eran Hammer
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Eran Hammer
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… John Bradley
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… William Mills
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Peter Saint-Andre
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… John Bradley
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Eran Hammer
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… John Bradley
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-be… Eran Hammer