[OAUTH-WG] draft-ietf-oauth-spop-10
Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 17 February 2015 16:58 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98F081A1BCC for <oauth@ietfa.amsl.com>; Tue, 17 Feb 2015 08:58:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vbodFHomK2No for <oauth@ietfa.amsl.com>; Tue, 17 Feb 2015 08:58:02 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 363FA1A1B85 for <oauth@ietf.org>; Tue, 17 Feb 2015 08:58:02 -0800 (PST)
Received: from [192.168.131.128] ([80.92.119.127]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MKZLb-1YO2aJ2kI3-0023Lm; Tue, 17 Feb 2015 17:57:56 +0100
Message-ID: <54E372C1.8040204@gmx.net>
Date: Tue, 17 Feb 2015 17:56:33 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: ve7jtb@ve7jtb.com, naa@google.com, "n-sakimura@nri.co.jp >> Nat Sakimura" <n-sakimura@nri.co.jp>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="m4PnsvKW2sWTU16K58s7P3b0tpSRUL8Dc"
X-Provags-ID: V03:K0:QLeWlWKcKXxwE0O+I7gmGOM0BRpahBh5tqPX6zN2Ldo+86nptDe Gn/BWaleD5/bS9wvRL7U8Hn8yPm5fNB1j2Rl+6O8GtKQcWlQlc/JezQ646ubDYaSHEBXYkU AUyq3Py7GiSWqnw9UgxnnFMMg6Vr7OwvH418ldHYH4CsSVvY5jfr5/CO9j8ga7cTzpRXGxl VA7WPj0n44TTmOxYgT/Mg==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/hSIRCsuc5dY36fzRhHTVuBaUEN8>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: [OAUTH-WG] draft-ietf-oauth-spop-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2015 16:58:04 -0000
Hi Nat, John, Naveen, thanks a lot for your work on the document. I still need responses to this mail to complete the shepherd writeup: http://www.ietf.org/mail-archive/web/oauth/current/msg14100.html I definitely need the IPR confirmation. It would also be helpful to have someone who implemented the specification as it currently is. I asked Brian and Thorsten for clarification regarding their statements that they implemented earlier versions of the spec. As a final remark I still believe that the text regarding the randomness is still a bit inconsistent. Here are two examples: 1) In the Security Consideration you write that "The security model relies on the fact that the code verifier is not learned or guessed by the attacker. It is vitally important to adhere to this principle. " 2) In Section 4.1 you, however, write: "NOTE: code verifier SHOULD have enough entropy to make it impractical to guess the value. It is RECOMMENDED that the output of a suitable random number generator be used to create a 32-octet sequence." There is clearly a long way from a SHOULD have enough entropy to the text in the security consideration section where you ask for 32 bytes entropy. It is also not clear why you ask for 32 bytes of entropy in particular. Ciao Hannes
- [OAUTH-WG] draft-ietf-oauth-spop-10 Hannes Tschofenig
- [OAUTH-WG] draft-ietf-oauth-spop-10 Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-spop-10 Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-10 John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-10 John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-10 Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-spop-10 Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-spop-10 Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-10 Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-spop-10 Nat Sakimura
- Re: [OAUTH-WG] draft-ietf-oauth-spop-10 torsten
- Re: [OAUTH-WG] draft-ietf-oauth-spop-10 Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-spop-10 John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-spop-10 Bill Mills
- Re: [OAUTH-WG] draft-ietf-oauth-spop-10 Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-spop-10 Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-spop-10 Naveen Agarwal