IETF Logo Mail Archive

Re: [OAUTH-WG] Question lengths in draft-sakimura-oauth-tcse-03

Nat Sakimura <sakimura@gmail.com> Tue, 13 May 2014 06:52 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D29781A0828 for <oauth@ietfa.amsl.com>; Mon, 12 May 2014 23:52:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w20uycTZgeWJ for <oauth@ietfa.amsl.com>; Mon, 12 May 2014 23:52:32 -0700 (PDT)
Received: from mail-lb0-x232.google.com (mail-lb0-x232.google.com [IPv6:2a00:1450:4010:c04::232]) by ietfa.amsl.com (Postfix) with ESMTP id 79FA21A07EE for <oauth@ietf.org>; Mon, 12 May 2014 23:52:31 -0700 (PDT)
Received: by mail-lb0-f178.google.com with SMTP id w7so8125654lbi.23 for <oauth@ietf.org>; Mon, 12 May 2014 23:52:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=lMvzJOCLS97iN1gCUFeQ5AzSZ3syMRJ40buSKTwqgOI=; b=NZgy91hSVEoC7GhVU16jPoctGEXMZbFG2mfoJ9C7XB/zXFcPLszn05TYF+G8gSpI2v Bss19eTBpNwxdwZbRWZvP3frisPHTDlAGB9qjdZ4ajZCnirKnvggHulxrR3+qeIKq1sP nMDV4cL4UybfLvDpsSsptuY+/pfwUNYVdWXTg/C4FEDmAw5Pq//dKUGGHu8hgnFDRAnN Bihn68Lo0QRVZ2fhraFdw9r8D+fEKdFSYS9KfLJoxGt3ScrWufky9lkjj4+8FGzcaNmV iAJir5TwTslfnMWrY2vjZT/zMGbiXwyscqETI+2cRJESei0bSjTKpXI/aqp4F5tU0Nys lBew==
MIME-Version: 1.0
X-Received: by 10.152.29.133 with SMTP id k5mr669900lah.44.1399963944450; Mon, 12 May 2014 23:52:24 -0700 (PDT)
Received: by 10.112.105.134 with HTTP; Mon, 12 May 2014 23:52:24 -0700 (PDT)
In-Reply-To: <CA+k3eCTguJMR-94-KyfpT2_3kQZQQgH3QV6VwawPLoSnBxqVbQ@mail.gmail.com>
References: <CA+k3eCTZOheb0HCetS88EXcP-8LJQrYPRuwVcd4NWaWxUAVO1g@mail.gmail.com> <sjm4n0uk8be.fsf@mocana.ihtfp.org> <21A361B0-4E8F-4DAB-9EEB-D48FBCBDFFED@ve7jtb.com> <CA+k3eCQJRymEDERy=3yvioetg-7Tz025gaZJ1FS4DYmkTGRhcQ@mail.gmail.com> <CA+k3eCTguJMR-94-KyfpT2_3kQZQQgH3QV6VwawPLoSnBxqVbQ@mail.gmail.com>
Date: Tue, 13 May 2014 15:52:24 +0900
Message-ID: <CABzCy2DvNsL79JHcR8LoNd1riaC9_KjTXBO1+xUTfCv2NHCOyA@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="089e0158c8589b81f804f94281ae"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/XHgHcBFNhU5bPATxzMgmMLwqcGQ
Cc: oauth <oauth@ietf.org>, Naveen Agarwal <naa@google.com>
Subject: Re: [OAUTH-WG] Question lengths in draft-sakimura-oauth-tcse-03
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 06:52:35 -0000

+1 for octet. We used to have "bytes" in JW* so I used "bytes" here, while
at the same time complaining in Jose that it should be "octet". JW* changed
to "octet" but I failed to sync with it in the last few edits.

I do not quite remember which platform, but the reason for the limit was
that some platform had some limitations as to the length of the sting to be
passed to it through URI and we did not want the challenges to be truncated
by that limit.

Best,

Nat


2014-05-13 6:56 GMT+09:00 Brian Campbell <bcampbell@pingidentity.com>:

> And it'd give the AS some direct guidance on protecting itself from crazy
> long code_challenge values rather than relying on the client not to do
> something creative.
>
>
> On Mon, May 12, 2014 at 3:54 PM, Brian Campbell <
> bcampbell@pingidentity.com> wrote:
>
>> Right but that's why I'm asking why not just put the limit on
>> code_challange rather than inferring it from code_verifyer + challenge
>> algorithm, which probably bounds it but doesn't necessarily do so? It's not
>> a big deal but would read more clearly, I think.
>>
>>
>> On Mon, May 12, 2014 at 3:48 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>
>>> I think octets is more consistent with other JW* and OAuth specs.
>>>
>>> The code_challange is the same length as the code_verifyer or is a hash
>>> of the code_verifyer so likely smaller than 128octets (43 ish for base64
>>> 256 bit)
>>>
>>> Limiting the code_verifyer size sets the upper bound for code_challange,
>>> unless someone comes up with a really creative code challenge algorithm.
>>>
>>> I will talk to nat about changing it to octets when I see him tomorrow.
>>>
>>> John B.
>>>
>>> On May 12, 2014, at 11:15 PM, Derek Atkins <warlord@MIT.EDU> wrote:
>>>
>>> > Brian Campbell <bcampbell@pingidentity.com> writes:
>>> >
>>> >> I notice that code_verifier is defined as "high entropy cryptographic
>>> random
>>> >> string of length less than 128 bytes"  [1], which brought a few
>>> questions and
>>> >> comments to mind. So here goes:
>>> >>
>>> >> Talking about the length of a string in terms of bytes is always
>>> potentially
>>> >> confusing. Maybe characters would be an easier unit for people like
>>> me to wrap
>>> >> their little brains around?
>>> >
>>> > It depends if it really is characters or bytes.  For example there are
>>> > many multi-byte UTF-8 characters, so if it really is bytes then saying
>>> > characters is wrong because it could overflow.  So let's make sure we
>>> > know what we're talking about.  Historically, if we're talking bytes
>>> the
>>> > IETF often uses the phrase "octets".  Would that be less confusing?
>>> >
>>> >> Why are we putting a length restriction on the code_verifier anyway?
>>> It seems
>>> >> like it'd be more appropriate to restrict the length of the
>>> code_challenge
>>> >> because that's the thing the AS will have to maintain somehow (store
>>> in a DB
>>> >> or memory or encrypt into the code). Am I missing something here?
>>> >>
>>> >> Let me also say that I hadn't looked at this document since its early
>>> days in
>>> >> draft -00 or -01 last summer but I like the changes and how it's been
>>> kept
>>> >> pretty simple for the common use-case while still allowing for crypto
>>> agility/
>>> >> extension. Nice work!
>>> >>
>>> >> [1]
>>> http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03#section-3.3
>>> >
>>> > -derek
>>> >
>>> >> _______________________________________________
>>> >> OAuth mailing list
>>> >> OAuth@ietf.org
>>> >> https://www.ietf.org/mailman/listinfo/oauth
>>> >
>>> > --
>>> >       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>>> >       Member, MIT Student Information Processing Board  (SIPB)
>>> >       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>>> >       warlord@MIT.EDU                        PGP key available
>>>
>>>
>>
>>
>> --
>>    [image: Ping Identity logo] <https://www.pingidentity.com/>
>> Brian Campbell
>> Portfolio Architect
>>   @ bcampbell@pingidentity.com  [image: phone] +1 720.317.2061  Connect
>> with us…  [image: twitter logo] <https://twitter.com/pingidentity> [image:
>> youtube logo] <https://www.youtube.com/user/PingIdentityTV> [image:
>> LinkedIn logo] <https://www.linkedin.com/company/21870> [image: Facebook
>> logo] <https://www.facebook.com/pingidentitypage> [image: Google+ logo]<https://plus.google.com/u/0/114266977739397708540> [image:
>> slideshare logo] <http://www.slideshare.net/PingIdentity> [image:
>> flipboard logo] <http://flip.it/vjBF7> [image: rss feed icon]<https://www.pingidentity.com/blogs/>
>>    [image: Register for Cloud Identity Summit 2014 | Modern Identity
>> Revolution | 19–23 July, 2014 | Monterey, CA]<https://www.cloudidentitysummit.com/>
>>
>>
>
>
> --
>    [image: Ping Identity logo] <https://www.pingidentity.com/>
> Brian Campbell
> Portfolio Architect
>   @ bcampbell@pingidentity.com  [image: phone] +1 720.317.2061  Connect
> with us…  [image: twitter logo] <https://twitter.com/pingidentity> [image:
> youtube logo] <https://www.youtube.com/user/PingIdentityTV> [image:
> LinkedIn logo] <https://www.linkedin.com/company/21870> [image: Facebook
> logo] <https://www.facebook.com/pingidentitypage> [image: Google+ logo]<https://plus.google.com/u/0/114266977739397708540> [image:
> slideshare logo] <http://www.slideshare.net/PingIdentity> [image:
> flipboard logo] <http://flip.it/vjBF7> [image: rss feed icon]<https://www.pingidentity.com/blogs/>
>    [image: Register for Cloud Identity Summit 2014 | Modern Identity
> Revolution | 19–23 July, 2014 | Monterey, CA]<https://www.cloudidentitysummit.com/>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email