Re: [OAUTH-WG] Clarification request on draft-ietf-oauth-v2-23#section-10.10
Igor Faynberg <igor.faynberg@alcatel-lucent.com> Fri, 03 February 2012 00:37 UTC
Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF53211E8072 for <oauth@ietfa.amsl.com>; Thu, 2 Feb 2012 16:37:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.884
X-Spam-Level:
X-Spam-Status: No, score=-8.884 tagged_above=-999 required=5 tests=[AWL=1.714, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uW5DiKt2yHfW for <oauth@ietfa.amsl.com>; Thu, 2 Feb 2012 16:37:05 -0800 (PST)
Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by ietfa.amsl.com (Postfix) with ESMTP id D53B611E8071 for <oauth@ietf.org>; Thu, 2 Feb 2012 16:37:04 -0800 (PST)
Received: from usnavsmail1.ndc.alcatel-lucent.com (usnavsmail1.ndc.alcatel-lucent.com [135.3.39.9]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id q130b11E024937 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Thu, 2 Feb 2012 18:37:02 -0600 (CST)
Received: from umail.lucent.com (umail-ce2.ndc.lucent.com [135.3.40.63]) by usnavsmail1.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q130b10w017637 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Thu, 2 Feb 2012 18:37:01 -0600
Received: from [135.244.18.27] (faynberg.lra.lucent.com [135.244.18.27]) by umail.lucent.com (8.13.8/TPES) with ESMTP id q130b1f9029739; Thu, 2 Feb 2012 18:37:01 -0600 (CST)
Message-ID: <4F2B2C2C.3010505@alcatel-lucent.com>
Date: Thu, 02 Feb 2012 19:37:00 -0500
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: oauth@ietf.org
References: <CABzCy2B4Dxb8BJe=Z5Sd_n8779JExj0u8n+xH8i9ypuFuwOJeg@mail.gmail.com>
In-Reply-To: <CABzCy2B4Dxb8BJe=Z5Sd_n8779JExj0u8n+xH8i9ypuFuwOJeg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------070600050404010209000400"
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.9
Subject: Re: [OAUTH-WG] Clarification request on draft-ietf-oauth-v2-23#section-10.10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2012 00:37:06 -0000
Nat, Your note made me think (as always), so maybe some text clarification is indeed in order. I have a slightly different understanding of the items you brought up. RFC 1750 is Informational, and I thought (maybe mistakenly?) that it cannot be used as a norm in a MUST clause. Therefore, I assumed that the clause prescribes the use of /cryptographically-strong/ pseudo-random generators but stopped short of listing them. The second item, I read as defining the strength, giving the necessary and desired bounds for a collision probability of two generated values. Igor On 2/2/2012 4:25 AM, Nat Sakimura wrote: > hi. > > The rev. 23 has a normative change in section 10.10 as: > > 10.10. Credentials Guessing Attacks > [...] > Generated tokens and other credentials not intended for handling by > end-users MUST be constructed from a cryptographically strong random > or pseudo-random number sequence ([RFC1750]) generated by the > authorization server. > > Does this normative requirement only allows pseudo-random number > sequence described as in Section 6.3 of RFC1750? > Or does it allow something that includes it? I gather that it is the later, > but the wording "constructed from" sounds a little vague. > > It also states: > > The probability of any two values being > identical MUST be less than or equal to 2^(-128) and SHOULD be less > than or equal to 2^(-160). > > It is "the probability that a randomly generated guessed value being > identical to > the authoritatively generated token or credential value", I suppose. > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Clarification request on draft-ietf-oa… Nat Sakimura
- Re: [OAUTH-WG] Clarification request on draft-iet… Igor Faynberg
- Re: [OAUTH-WG] Clarification request on draft-iet… Nat Sakimura
- Re: [OAUTH-WG] Clarification request on draft-iet… Torsten Lodderstedt
- Re: [OAUTH-WG] Clarification request on draft-iet… Nat Sakimura