IETF Logo Mail Archive

Re: [OAUTH-WG] Clarification request on draft-ietf-oauth-v2-23#section-10.10

Igor Faynberg <igor.faynberg@alcatel-lucent.com> Fri, 03 February 2012 00:37 UTC

Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF53211E8072 for <oauth@ietfa.amsl.com>; Thu, 2 Feb 2012 16:37:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.884
X-Spam-Level:
X-Spam-Status: No, score=-8.884 tagged_above=-999 required=5 tests=[AWL=1.714, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uW5DiKt2yHfW for <oauth@ietfa.amsl.com>; Thu, 2 Feb 2012 16:37:05 -0800 (PST)
Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by ietfa.amsl.com (Postfix) with ESMTP id D53B611E8071 for <oauth@ietf.org>; Thu, 2 Feb 2012 16:37:04 -0800 (PST)
Received: from usnavsmail1.ndc.alcatel-lucent.com (usnavsmail1.ndc.alcatel-lucent.com [135.3.39.9]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id q130b11E024937 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Thu, 2 Feb 2012 18:37:02 -0600 (CST)
Received: from umail.lucent.com (umail-ce2.ndc.lucent.com [135.3.40.63]) by usnavsmail1.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q130b10w017637 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Thu, 2 Feb 2012 18:37:01 -0600
Received: from [135.244.18.27] (faynberg.lra.lucent.com [135.244.18.27]) by umail.lucent.com (8.13.8/TPES) with ESMTP id q130b1f9029739; Thu, 2 Feb 2012 18:37:01 -0600 (CST)
Message-ID: <4F2B2C2C.3010505@alcatel-lucent.com>
Date: Thu, 02 Feb 2012 19:37:00 -0500
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: oauth@ietf.org
References: <CABzCy2B4Dxb8BJe=Z5Sd_n8779JExj0u8n+xH8i9ypuFuwOJeg@mail.gmail.com>
In-Reply-To: <CABzCy2B4Dxb8BJe=Z5Sd_n8779JExj0u8n+xH8i9ypuFuwOJeg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------070600050404010209000400"
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.9
Subject: Re: [OAUTH-WG] Clarification request on draft-ietf-oauth-v2-23#section-10.10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2012 00:37:06 -0000

Nat,

Your note made me think (as always), so maybe some text clarification is 
indeed in order.

I have a slightly different understanding of the items you brought up.  
RFC 1750 is Informational, and I thought (maybe mistakenly?) that it 
cannot be used as a norm in a MUST clause.  Therefore, I assumed that 
the clause prescribes the use of /cryptographically-strong/ 
pseudo-random generators but stopped short of listing them.

The second item, I read as defining the strength, giving the necessary 
and desired bounds for a collision probability of two generated values.

Igor


On 2/2/2012 4:25 AM, Nat Sakimura wrote:
> hi.
>
> The rev. 23 has a normative change in section 10.10 as:
>
> 10.10.  Credentials Guessing Attacks
>    [...]
>   Generated tokens and other credentials not intended for handling by
>     end-users MUST be constructed from a cryptographically strong random
>     or pseudo-random number sequence ([RFC1750]) generated by the
>     authorization server.
>
> Does this normative requirement only allows pseudo-random number
> sequence described as in Section 6.3 of RFC1750?
> Or does it allow something that includes it? I gather that it is the later,
> but the wording "constructed from" sounds a little vague.
>
> It also states:
>
>   The probability of any two values being
>     identical MUST be less than or equal to 2^(-128) and SHOULD be less
>     than or equal to 2^(-160).
>
> It is "the probability that a randomly generated guessed value being
> identical to
> the authoritatively generated token or credential value", I suppose.
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email