IETF Logo Mail Archive

Re: [OAUTH-WG] Question lengths in draft-sakimura-oauth-tcse-03

Naveen Agarwal <naa@google.com> Fri, 16 May 2014 17:11 UTC

Return-Path: <naa@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D43491A0273 for <oauth@ietfa.amsl.com>; Fri, 16 May 2014 10:11:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.029
X-Spam-Level:
X-Spam-Status: No, score=-2.029 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XOrpLtIpn9aQ for <oauth@ietfa.amsl.com>; Fri, 16 May 2014 10:11:33 -0700 (PDT)
Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com [IPv6:2607:f8b0:4001:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95EAD1A00DF for <oauth@ietf.org>; Fri, 16 May 2014 10:11:33 -0700 (PDT)
Received: by mail-ie0-f174.google.com with SMTP id at1so2806186iec.19 for <oauth@ietf.org>; Fri, 16 May 2014 10:11:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=aOQrr7qNokbkkUftoa+3Yfpxtnp644SQqZqmFMXYjUU=; b=SGhO4YVm/z0mOgth2XmI1bAhKDzW3soiHC8zxWvfJ8TqwQUmMoB0VLKNFp+CbQlwlX 4PpBQrv7wcZ94MDY6vlCKKTp/YEevpTBpKNGGzIPQl2GDwTO+FRqkCYNCEZDFtD03TuA XK/jITiC6IfWnq8KPouE53m+DosODahEBPPXcgcDIjkHeqU+Cbt/2Tav5/MBRlro2z3W WJUQavY+Q92qz6SAav3vxAcsf1qHHFmw3UDBzsyLYqAfzeI6YfEMG/pz/Y9eDpS0tLlv ZC4HMtiwyehSplYjHOCB+aVpTl6CQ9coNrj2+3s3u899nTqXNgoSm7zZETfWJ+V4Ae5q ypqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=aOQrr7qNokbkkUftoa+3Yfpxtnp644SQqZqmFMXYjUU=; b=SE3hVmXPrZ8DZPaNGDKwYTWrk9+qerEE12Au6rhY89Q3IWir8i/y1Jsxm41Kr1RToA AZEiqx+Dd2A5ogaMi+TpkZjxQPw2r78jR/g+tWFKQCxTCFM6U4SxRC+Us3FmlkblO/N1 nIWF7DMF/jaFIK4nnCDroD0RtCkOaxMfzrvKtn58VVFpqDXPMdmNhsoxFjW7NnYJPOSH ZVWFB7FW3tm6M1aaQJPHkwQm5TXQv3IkTodsro4I89UgjLcwYrD3o7V0rtxoVaX53IEA Emio43SIxhuLrCdDsbp7bxvIg6iokkJVgHzqH5NpK1Ua1oCg2fNgBCloW8mfm34qlKbg gWbw==
X-Gm-Message-State: ALoCoQki7dPqQIPbpt6iGvDk68qC5SsXZYha03b5eF3fUaJ3qBfAmj90nZDCM3afHY7nU+kXGbET
X-Received: by 10.43.141.81 with SMTP id jd17mr16672179icc.39.1400260285853; Fri, 16 May 2014 10:11:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.239.207 with HTTP; Fri, 16 May 2014 10:11:05 -0700 (PDT)
In-Reply-To: <CA+k3eCS=vt_WDpGYJ6LcsF_MO0GkoebH6NrQ--NTD0E20NOQ8A@mail.gmail.com>
References: <CA+k3eCTZOheb0HCetS88EXcP-8LJQrYPRuwVcd4NWaWxUAVO1g@mail.gmail.com> <sjm4n0uk8be.fsf@mocana.ihtfp.org> <21A361B0-4E8F-4DAB-9EEB-D48FBCBDFFED@ve7jtb.com> <CA+k3eCQJRymEDERy=3yvioetg-7Tz025gaZJ1FS4DYmkTGRhcQ@mail.gmail.com> <CA+k3eCTguJMR-94-KyfpT2_3kQZQQgH3QV6VwawPLoSnBxqVbQ@mail.gmail.com> <CABzCy2DvNsL79JHcR8LoNd1riaC9_KjTXBO1+xUTfCv2NHCOyA@mail.gmail.com> <CA+k3eCQLdfmY_q3Avjc-FKUUK-wq6gEP-j+YE85dkNnhr5=Y4w@mail.gmail.com> <CABzCy2DHTxv6W+u171ZrgBeL0NJZ0jkY33YVWDnsPhuCZfJ26g@mail.gmail.com> <E54A312A-F44C-4E13-9DD7-C47DC48CA805@ve7jtb.com> <CA+k3eCS=vt_WDpGYJ6LcsF_MO0GkoebH6NrQ--NTD0E20NOQ8A@mail.gmail.com>
From: Naveen Agarwal <naa@google.com>
Date: Fri, 16 May 2014 10:11:05 -0700
Message-ID: <CAOKiTbsBxAvZHGnm1k86EU5UPYvynBiHWZhDeJm21Y+rh58NGQ@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="001a11c2d9c0ee88de04f98780c0"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/bxvQIas3ANrPi6b9tRmhKn9SGEU
X-Mailman-Approved-At: Fri, 16 May 2014 11:08:22 -0700
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Question lengths in draft-sakimura-oauth-tcse-03
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 May 2014 17:11:45 -0000

I think having a limit is much better (to increase compatibility) than not
having one.  If servers code developers will have to make a decision on the
length they should accept and they'll all select a different one and cause
issues.

Of course the browser URL size have limits and having much larger than 128
octets is not improving the security much.

Thanks

Naveen



On Fri, May 16, 2014 at 9:32 AM, Brian Campbell
<bcampbell@pingidentity.com>wrote:

> Yeah, I agree with John here. There are a few good reasons to restrict the
> length of the code_challenge. One is trying to keep the authorization
> request URI to reasonable size as it will eventually run into various
> limits on clients and/or servers. The other is constraining the amount of
> data that an AS needs to store per code.
>
>
>
>
> On Fri, May 16, 2014 at 7:41 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
>> From the AS side you probably want to know what the max size you need to
>> store per code.
>>
>> On the call to the token endpoint it is a POST so size should not be an
>> issue.
>>
>>
>> On May 16, 2014, at 3:10 PM, Nat Sakimura <sakimura@gmail.com> wrote:
>>
>> Now that I cannot remember what limit we were hitting, it might be a good
>> idea to remove the constraint and see if anyone protests.
>>
>> What do you think?
>>
>> Nat
>>
>>
>> 2014-05-14 20:46 GMT+09:00 Brian Campbell <bcampbell@pingidentity.com>:
>>
>>> That too would suggest that the length limit be on code_challenge
>>> because that's the parameter that will be on URIs getting passed around.
>>> The code_verifier is sent directly in the POST body from client to AS.
>>>
>>>
>>> On Tue, May 13, 2014 at 12:52 AM, Nat Sakimura <sakimura@gmail.com>wrote:
>>>
>>>> +1 for octet. We used to have "bytes" in JW* so I used "bytes" here,
>>>> while at the same time complaining in Jose that it should be "octet". JW*
>>>> changed to "octet" but I failed to sync with it in the last few edits.
>>>>
>>>> I do not quite remember which platform, but the reason for the limit
>>>> was that some platform had some limitations as to the length of the sting
>>>> to be passed to it through URI and we did not want the challenges to be
>>>> truncated by that limit.
>>>>
>>>> Best,
>>>>
>>>> Nat
>>>>
>>>>
>>>> 2014-05-13 6:56 GMT+09:00 Brian Campbell <bcampbell@pingidentity.com>:
>>>>
>>>> And it'd give the AS some direct guidance on protecting itself from
>>>>> crazy long code_challenge values rather than relying on the client not to
>>>>> do something creative.
>>>>>
>>>>>
>>>>> On Mon, May 12, 2014 at 3:54 PM, Brian Campbell <
>>>>> bcampbell@pingidentity.com> wrote:
>>>>>
>>>>>> Right but that's why I'm asking why not just put the limit on
>>>>>> code_challange rather than inferring it from code_verifyer + challenge
>>>>>> algorithm, which probably bounds it but doesn't necessarily do so? It's not
>>>>>> a big deal but would read more clearly, I think.
>>>>>>
>>>>>>
>>>>>> On Mon, May 12, 2014 at 3:48 PM, John Bradley <ve7jtb@ve7jtb.com>wrote:
>>>>>>
>>>>>>> I think octets is more consistent with other JW* and OAuth specs.
>>>>>>>
>>>>>>> The code_challange is the same length as the code_verifyer or is a
>>>>>>> hash of the code_verifyer so likely smaller than 128octets (43 ish for
>>>>>>> base64 256 bit)
>>>>>>>
>>>>>>> Limiting the code_verifyer size sets the upper bound for
>>>>>>> code_challange, unless someone comes up with a really creative code
>>>>>>> challenge algorithm.
>>>>>>>
>>>>>>> I will talk to nat about changing it to octets when I see him
>>>>>>> tomorrow.
>>>>>>>
>>>>>>> John B.
>>>>>>>
>>>>>>> On May 12, 2014, at 11:15 PM, Derek Atkins <warlord@MIT.EDU> wrote:
>>>>>>>
>>>>>>> > Brian Campbell <bcampbell@pingidentity.com> writes:
>>>>>>> >
>>>>>>> >> I notice that code_verifier is defined as "high entropy
>>>>>>> cryptographic random
>>>>>>> >> string of length less than 128 bytes"  [1], which brought a few
>>>>>>> questions and
>>>>>>> >> comments to mind. So here goes:
>>>>>>> >>
>>>>>>> >> Talking about the length of a string in terms of bytes is always
>>>>>>> potentially
>>>>>>> >> confusing. Maybe characters would be an easier unit for people
>>>>>>> like me to wrap
>>>>>>> >> their little brains around?
>>>>>>> >
>>>>>>> > It depends if it really is characters or bytes.  For example there
>>>>>>> are
>>>>>>> > many multi-byte UTF-8 characters, so if it really is bytes then
>>>>>>> saying
>>>>>>> > characters is wrong because it could overflow.  So let's make sure
>>>>>>> we
>>>>>>> > know what we're talking about.  Historically, if we're talking
>>>>>>> bytes the
>>>>>>> > IETF often uses the phrase "octets".  Would that be less confusing?
>>>>>>> >
>>>>>>> >> Why are we putting a length restriction on the code_verifier
>>>>>>> anyway? It seems
>>>>>>> >> like it'd be more appropriate to restrict the length of the
>>>>>>> code_challenge
>>>>>>> >> because that's the thing the AS will have to maintain somehow
>>>>>>> (store in a DB
>>>>>>> >> or memory or encrypt into the code). Am I missing something here?
>>>>>>> >>
>>>>>>> >> Let me also say that I hadn't looked at this document since its
>>>>>>> early days in
>>>>>>> >> draft -00 or -01 last summer but I like the changes and how it's
>>>>>>> been kept
>>>>>>> >> pretty simple for the common use-case while still allowing for
>>>>>>> crypto agility/
>>>>>>> >> extension. Nice work!
>>>>>>> >>
>>>>>>> >> [1]
>>>>>>> http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03#section-3.3
>>>>>>> >
>>>>>>> > -derek
>>>>>>> >
>>>>>>> >> _______________________________________________
>>>>>>> >> OAuth mailing list
>>>>>>> >> OAuth@ietf.org
>>>>>>> >> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> >
>>>>>>> > --
>>>>>>> >       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>>>>>>> >       Member, MIT Student Information Processing Board  (SIPB)
>>>>>>> >       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>>>>>>> >       warlord@MIT.EDU                        PGP key available
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>    [image: Ping Identity logo] <https://www.pingidentity.com/>
>>>>>> Brian Campbell
>>>>>> Portfolio Architect
>>>>>>   @ bcampbell@pingidentity.com  [image: phone] +1 720.317.2061  Connect
>>>>>> with us…  [image: twitter logo] <https://twitter.com/pingidentity> [image:
>>>>>> youtube logo] <https://www.youtube.com/user/PingIdentityTV> [image:
>>>>>> LinkedIn logo] <https://www.linkedin.com/company/21870> [image:
>>>>>> Facebook logo] <https://www.facebook.com/pingidentitypage> [image:
>>>>>> Google+ logo] <https://plus.google.com/u/0/114266977739397708540> [image:
>>>>>> slideshare logo] <http://www.slideshare.net/PingIdentity> [image:
>>>>>> flipboard logo] <http://flip.it/vjBF7> [image: rss feed icon]<https://www.pingidentity.com/blogs/>
>>>>>>    [image: Register for Cloud Identity Summit 2014 | Modern Identity
>>>>>> Revolution | 19–23 July, 2014 | Monterey, CA]<https://www.cloudidentitysummit.com/>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>    [image: Ping Identity logo] <https://www.pingidentity.com/>
>>>>> Brian Campbell
>>>>> Portfolio Architect
>>>>>   @ bcampbell@pingidentity.com  [image: phone] +1 720.317.2061  Connect
>>>>> with us…  [image: twitter logo] <https://twitter.com/pingidentity> [image:
>>>>> youtube logo] <https://www.youtube.com/user/PingIdentityTV> [image:
>>>>> LinkedIn logo] <https://www.linkedin.com/company/21870> [image:
>>>>> Facebook logo] <https://www.facebook.com/pingidentitypage> [image:
>>>>> Google+ logo] <https://plus.google.com/u/0/114266977739397708540> [image:
>>>>> slideshare logo] <http://www.slideshare.net/PingIdentity> [image:
>>>>> flipboard logo] <http://flip.it/vjBF7> [image: rss feed icon]<https://www.pingidentity.com/blogs/>
>>>>>    [image: Register for Cloud Identity Summit 2014 | Modern Identity
>>>>> Revolution | 19–23 July, 2014 | Monterey, CA]<https://www.cloudidentitysummit.com/>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Nat Sakimura (=nat)
>>>> Chairman, OpenID Foundation
>>>> http://nat.sakimura.org/
>>>> @_nat_en
>>>>
>>>
>>>
>>>
>>> --
>>>    [image: Ping Identity logo] <https://www.pingidentity.com/>
>>> Brian Campbell
>>> Portfolio Architect
>>>   @ bcampbell@pingidentity.com  [image: phone] +1 720.317.2061  Connect
>>> with us…  [image: twitter logo] <https://twitter.com/pingidentity> [image:
>>> youtube logo] <https://www.youtube.com/user/PingIdentityTV> [image:
>>> LinkedIn logo] <https://www.linkedin.com/company/21870> [image:
>>> Facebook logo] <https://www.facebook.com/pingidentitypage> [image:
>>> Google+ logo] <https://plus.google.com/u/0/114266977739397708540> [image:
>>> slideshare logo] <http://www.slideshare.net/PingIdentity> [image:
>>> flipboard logo] <http://flip.it/vjBF7> [image: rss feed icon]<https://www.pingidentity.com/blogs/>
>>>    [image: Register for Cloud Identity Summit 2014 | Modern Identity
>>> Revolution | 19–23 July, 2014 | Monterey, CA]<https://www.cloudidentitysummit.com/>
>>>
>>>
>>
>>
>> --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>
>>
>>
>

v2.23.0 | Report a Bug | By Email