IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth token entropy

Oleg Gryb <oleg_gryb@yahoo.com> Fri, 02 November 2012 18:58 UTC

Return-Path: <oleg_gryb@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D381C11E80E4 for <oauth@ietfa.amsl.com>; Fri, 2 Nov 2012 11:58:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.298
X-Spam-Level:
X-Spam-Status: No, score=-1.298 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T9lIzDUkLp7B for <oauth@ietfa.amsl.com>; Fri, 2 Nov 2012 11:58:57 -0700 (PDT)
Received: from nm1-vm0.bullet.mail.ne1.yahoo.com (nm1-vm0.bullet.mail.ne1.yahoo.com [98.138.91.74]) by ietfa.amsl.com (Postfix) with ESMTP id E2CAE11E80E2 for <oauth@ietf.org>; Fri, 2 Nov 2012 11:58:56 -0700 (PDT)
Received: from [98.138.90.52] by nm1.bullet.mail.ne1.yahoo.com with NNFMP; 02 Nov 2012 18:58:53 -0000
Received: from [98.138.89.252] by tm5.bullet.mail.ne1.yahoo.com with NNFMP; 02 Nov 2012 18:58:53 -0000
Received: from [127.0.0.1] by omp1044.mail.ne1.yahoo.com with NNFMP; 02 Nov 2012 18:58:53 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 942454.43630.bm@omp1044.mail.ne1.yahoo.com
Received: (qmail 81527 invoked by uid 60001); 2 Nov 2012 18:58:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1351882733; bh=WrX5nUSY2Ojh5pjVZ4/4oLC1iVJdo5U3ARzgNvOIWzw=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=l2sJ+kwFt4DazmM/BIYG7czBgJ+1S0VznrzjhTBg+ZWwIxiBcAbI8GEVhNXxbdtaf/WEfZp6IyxNThbenSllRzkec2h/GAHMPQWXadibsJFaAORZj/lV5/MDfapC58AqLrlbqTOBlEHguCAhfbNHBgtcwrVmPGu/ttt9nkfAYdU=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=RLc9TCd91ER60UOObxsJE4h2idGMeNr0njJD3pZi95NIYoTzxDQqkajn4pBPWaYvA4eWV/maLV9udhF7gix8s7OVKUTorvAUiSb5D0lpxJ+llgXaKoRWnx839nnlJf9lmFopK+jDhBslqHW/7lnOXMaheyExum2B2CmQfapbhIg=;
X-YMail-OSG: zZOxEDgVM1mKqiQ_6Qqmf0qyvN1N49V9SXo2Mt2k2ISEZO3 Rt.tEArnyDkHK68hWS1DYpP4sYtLeoiGi9FM6hw_7hVG5dmj2lmD0MD9Pm9w vKoOPTgcCbeFGgSLiDqqb3khJEzBkt1NG3DBcox.gmR2MN0tVHI6Vx.zH63V TzcJ5C8MNJUTiAVPNpLAroWdaU4MqjwWfGhOY6RxNyT.M9YhWvksEQzCMTPt MeV1zjKvlroiHdVNGXJHy6uEr6vI0SQRnzR1rWkteSA7vMcthcY86FK0zwo0 uenF_MlX2CyX3rBHfqZSehEOkcUEWG62XVmB6LK2pIA7eZtWbjR8Nm8czQR4 OsPxpZ0aBzPuhvCcdpTIPqXYQ.o2u2q3SOgfiACljJE3R8NS5_mjqdALxpp9 n55Hh0oRC1zA32qtLjKBlZaaNcmGTnYgR8xCx5q5Co1b1rAZcFDYjBYkf9Ow 8BrY3akYOahTTmOsm1MS7k7d7qIVKs0eL6vMuJz9atsJS_8_V7GgY5zvgcWD 8AFH4mcNNMNbDFZ93LmjovbAyQ.rHGKh_pEZbnWV880zdWwTuYw9_YgB2lL3 FlEFsCbf7fKU5s10mCLQyiJ6qmfSzGg--
Received: from [199.16.140.30] by web121004.mail.ne1.yahoo.com via HTTP; Fri, 02 Nov 2012 11:58:53 PDT
X-Rocket-MIMEInfo: 001.001, VGhhbmtzLCBCcmlhbi4gIk11c3QiIGZvciAxMjggYml0cyBtYWtlcyBwZXJmZWN0IHNlbnNlLiAxNjAgYml0cyBsb29rcyBnb29kIGFzIGEgcmVjb21tZW5kZWQgZW50cm9weSBhcyB3ZWxsLg0KDQpXRywNCg0KUGxlYXNlIHVwZGF0ZSB0aGUgZG9jLiBJdCdzIGltcG9ydGFudCB0byBwcm92aWRlIGNsZWFyIGd1aWRlbGluZXMgZm9yIE9BdXRoIGltcGxlbWVudGVycywgd2hpY2ggYXJlIG1hbnkgbm93YWRheXMuIA0KDQotLS0gT24gRnJpLCAxMS8yLzEyLCBCcmlhbiBDYW1wYmVsbCA8YmNhbXBiZWxsQHBpbmcBMAEBAQE-
X-Mailer: YahooMailClassic/15.0.8 YahooMailWebService/0.8.123.460
Message-ID: <1351882733.77358.YahooMailClassic@web121004.mail.ne1.yahoo.com>
Date: Fri, 02 Nov 2012 11:58:53 -0700
From: Oleg Gryb <oleg_gryb@yahoo.com>
To: Oleg Gryb <oleg@gryb.info>, Brian Campbell <bcampbell@pingidentity.com>
In-Reply-To: <CA+k3eCSQk0aZN-bCRD=G+gQO6hkFNwBGRS62RBT7Vqf_v1wskQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1562933420-397370934-1351882733=:77358"
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth token entropy
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: oleg@gryb.info
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2012 18:58:58 -0000

Thanks, Brian. "Must" for 128 bits makes perfect sense. 160 bits looks good as a recommended entropy as well.

WG,

Please update the doc. It's important to provide clear guidelines for OAuth implementers, which are many nowadays. 

--- On Fri, 11/2/12, Brian Campbell <bcampbell@pingidentity.com> wrote:

From: Brian Campbell <bcampbell@pingidentity.com>
Subject: Re: [OAUTH-WG] OAuth token entropy
To: "Oleg Gryb" <oleg@gryb.info>
Cc: "Torsten Lodderstedt" <torsten@lodderstedt.net>, "oauth" <oauth@ietf.org>
Date: Friday, November 2, 2012, 2:19 PM

I believe the original text (which was borrowed from elsewhere) had a must followed by a should rather than two shoulds like that. The text seems to have drifted a bit in various places but the threat model text should probably be aligned with what's in core OAuth at http://tools.ietf.org/html/rfc6749#section-10.10




On Fri, Nov 2, 2012 at 10:16 AM, Oleg Gryb <oleg_gryb@yahoo.com> wrote:


Can somebody please provide clarification for this:


http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-05#section-5.1.4.2.2

5.1.4.2.2.  High entropy of secrets...
   The probability of any two Authorization Code
   values being identical should be less than or equal to 2^(-128) and
   should be less than or equal to 2^(-160).

Is there any reason why we have two inclusive conditions in this statement or is it a typo and you meant something else?
 

_______________________________________________



OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email