Re: [OAUTH-WG] draft-ietf-oauth-spop-10

Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 10 March 2015 22:42 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 158581A9051 for <oauth@ietfa.amsl.com>; Tue, 10 Mar 2015 15:42:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0SGYswyoSmv7 for <oauth@ietfa.amsl.com>; Tue, 10 Mar 2015 15:42:40 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0B241A8F46 for <oauth@ietf.org>; Tue, 10 Mar 2015 15:42:39 -0700 (PDT)
Received: from [192.168.10.132] ([208.85.208.52]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MfjJY-1Y8HfH0sQm-00NBaj; Tue, 10 Mar 2015 23:42:31 +0100
Message-ID: <54FF733E.4090907@gmx.net>
Date: Tue, 10 Mar 2015 23:42:06 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: Naveen Agarwal <naa@google.com>
References: <54E372C1.8040204@gmx.net> <CAOKiTbtVq5oXRHFBR=wBwOptmVwie6reKqZZi-GHOmf_hcZ_fg@mail.gmail.com>
In-Reply-To: <CAOKiTbtVq5oXRHFBR=wBwOptmVwie6reKqZZi-GHOmf_hcZ_fg@mail.gmail.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="8uLicGnNm17ik5v6MlNtr8l9Qtghfk5ML"
X-Provags-ID: V03:K0:BavFJJ+32phqHFZ4C172G8KYHxzBzbsJEaVDPuPvPuvV6xNte7Q pNSOC8mzgQOFjFJcGIhYqe20igp0EkSUz47NUg/3xlJ7nAA70WYPeGZeD1BTMvCQv68S/S2 k6YmmL0Slx6e8TbAJ2AgReb5vmf4bi2XMvn74dQKIguC4jkORQFnG2rdV4UgyWy0lmKX01v LFlewcQJZxi6yCbDE8G3A==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/hmWahfZwdcsBWfYXKIMukHhsrW0>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-spop-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 22:42:42 -0000

Thanks, Naveen!

I will complete my shepherd write-up with this information.

Ciao
Hannes

On 03/10/2015 07:33 PM, Naveen Agarwal wrote:
> 
>     I definitely need the IPR confirmation.
> 
> 
> 
> I'm not aware of any IPR related tho this draft.
> 
> 
> On Tue, Feb 17, 2015 at 8:56 AM, Hannes Tschofenig
> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
> 
>     Hi Nat, John, Naveen,
> 
>     thanks a lot for your work on the document.
> 
>     I still need responses to this mail to complete the shepherd writeup:
>     http://www.ietf.org/mail-archive/web/oauth/current/msg14100.html
> 
>     I definitely need the IPR confirmation.
> 
>     It would also be helpful to have someone who implemented the
>     specification as it currently is. I asked Brian and Thorsten for
>     clarification regarding their statements that they implemented earlier
>     versions of the spec.
> 
>     As a final remark I still believe that the text regarding the randomness
>     is still a bit inconsistent. Here are two examples:
> 
>     1) In the Security Consideration you write that "The security model
>     relies on the fact that the code verifier is not learned or guessed by
>     the attacker.  It is vitally important to adhere to this principle. "
> 
>     2) In Section 4.1 you, however, write: "NOTE: code verifier SHOULD have
>     enough entropy to make it impractical to guess the value.  It is
>     RECOMMENDED that the output of a suitable random number generator be
>     used to create a 32-octet sequence."
> 
>     There is clearly a long way from a SHOULD have enough entropy to the
>     text in the security consideration section where you ask for 32 bytes
>     entropy.
> 
>     It is also not clear why you ask for 32 bytes of entropy in particular.
> 
>     Ciao
>     Hannes
> 
>