[OAUTH-WG] draft-ietf-oauth-spop-10

Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 17 February 2015 16:58 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 98F081A1BCC for <oauth@ietfa.amsl.com>; Tue, 17 Feb 2015 08:58:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id vbodFHomK2No for <oauth@ietfa.amsl.com>; Tue, 17 Feb 2015 08:58:02 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 363FA1A1B85 for <oauth@ietf.org>; Tue, 17 Feb 2015 08:58:02 -0800 (PST)
Received: from [] ([]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MKZLb-1YO2aJ2kI3-0023Lm; Tue, 17 Feb 2015 17:57:56 +0100
Message-ID: <54E372C1.8040204@gmx.net>
Date: Tue, 17 Feb 2015 17:56:33 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: ve7jtb@ve7jtb.com, naa@google.com, "n-sakimura@nri.co.jp >> Nat Sakimura" <n-sakimura@nri.co.jp>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="m4PnsvKW2sWTU16K58s7P3b0tpSRUL8Dc"
X-Provags-ID: V03:K0:QLeWlWKcKXxwE0O+I7gmGOM0BRpahBh5tqPX6zN2Ldo+86nptDe Gn/BWaleD5/bS9wvRL7U8Hn8yPm5fNB1j2Rl+6O8GtKQcWlQlc/JezQ646ubDYaSHEBXYkU AUyq3Py7GiSWqnw9UgxnnFMMg6Vr7OwvH418ldHYH4CsSVvY5jfr5/CO9j8ga7cTzpRXGxl VA7WPj0n44TTmOxYgT/Mg==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/hSIRCsuc5dY36fzRhHTVuBaUEN8>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: [OAUTH-WG] draft-ietf-oauth-spop-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2015 16:58:04 -0000

Hi Nat, John, Naveen,

thanks a lot for your work on the document.

I still need responses to this mail to complete the shepherd writeup:

I definitely need the IPR confirmation.

It would also be helpful to have someone who implemented the
specification as it currently is. I asked Brian and Thorsten for
clarification regarding their statements that they implemented earlier
versions of the spec.

As a final remark I still believe that the text regarding the randomness
is still a bit inconsistent. Here are two examples:

1) In the Security Consideration you write that "The security model
relies on the fact that the code verifier is not learned or guessed by
the attacker.  It is vitally important to adhere to this principle. "

2) In Section 4.1 you, however, write: "NOTE: code verifier SHOULD have
enough entropy to make it impractical to guess the value.  It is
RECOMMENDED that the output of a suitable random number generator be
used to create a 32-octet sequence."

There is clearly a long way from a SHOULD have enough entropy to the
text in the security consideration section where you ask for 32 bytes

It is also not clear why you ask for 32 bytes of entropy in particular.