Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-spop-09.txt

"Manger, James" <> Thu, 05 February 2015 01:44 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E47ED1A00BF for <>; Wed, 4 Feb 2015 17:44:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.498
X-Spam-Status: No, score=0.498 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RCVD_IN_DNSWL_LOW=-0.7, RELAY_IS_203=0.994] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xZOh_jfMLOvF for <>; Wed, 4 Feb 2015 17:44:08 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E3AC21A000D for <>; Wed, 4 Feb 2015 17:44:06 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.09,521,1418043600"; d="scan'208";a="68305842"
Received: from unknown (HELO ([]) by with ESMTP; 05 Feb 2015 12:17:45 +1100
X-IronPort-AV: E=McAfee;i="5600,1067,7702"; a="331952063"
Received: from ([]) by with ESMTP; 05 Feb 2015 12:43:43 +1100
Received: from ([]) by ([]) with mapi; Thu, 5 Feb 2015 12:43:42 +1100
From: "Manger, James" <>
To: "" <>
Date: Thu, 05 Feb 2015 12:43:41 +1100
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-spop-09.txt
Thread-Index: AdBA1AEYXq7rjRewS0OREYk72TcMvgAAIblA
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US, en-AU
Content-Language: en-US
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-spop-09.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Feb 2015 01:44:10 -0000

>     Title           : Proof Key for Code Exchange by OAuth Public Clients
> 	Filename        : draft-ietf-oauth-spop-09.txt

Some nits on this draft:

1. 42 chars.
The lower limit of 42 chars for code_verifier: is not mentioned in prose (just the upper limit); is too high (128-bits=22-chars is sufficient); and doesn't correspond to 256-bits (BASE64URL-ENCODE(32 bytes) gives 43 chars, not 42).

Quotes around "code_verifier" and "code_challenge" in prose are okay, though not really necessary as the underscore is enough to distinguish them as technical labels. Quotes around these terms in formula is bad as it looks like the formula applies to the 13 or 14 chars of the label. The quoting is also used inconsistently.
Suggestion: remove all quotes around "code_verifier" and "code_challenge" in prose and formula.
For example, change ASCII("code_verifier") to ASCII(code_verifier).

Two ways to check code_verifier are given in appendix B, whereas only one of these is mentioned in section 4.6.
  SHA256(verifier) === B64-DECODE(challenge)
  B64-ENCODE(SHA256(verifier)) === challenge

I suggest only mentioning the 2nd (change 4.6 to use the 2nd, and drop the 1st from appendix B). It is simpler to mention only one. It also means base64url-decoding is never done, and doesn't need to be mentioned in the spec.

Expand "MTI" to "mandatory to implement".

P.S. Suggesting code challenge method names not exceed 8 chars to be compact is a bit perverse given the field holding these values has the long name "code_challenge_method" ;)

James Manger