IETF Logo Mail Archive

Re: [OAUTH-WG] Defining a maximum token length?

Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 10 March 2010 05:25 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4D6E33A6B53 for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 21:25:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.249
X-Spam-Level:
X-Spam-Status: No, score=-3.249 tagged_above=-999 required=5 tests=[AWL=1.000, BAYES_00=-2.599, GB_I_LETTER=-2, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q3z14fKxtg5y for <oauth@core3.amsl.com>; Tue, 9 Mar 2010 21:25:52 -0800 (PST)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.36]) by core3.amsl.com (Postfix) with ESMTP id DB7403A6B4B for <oauth@ietf.org>; Tue, 9 Mar 2010 21:25:51 -0800 (PST)
Received: from p4fff23f9.dip.t-dialin.net ([79.255.35.249] helo=[127.0.0.1]) by smtprelay02.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1NpEQd-0005N7-6i; Wed, 10 Mar 2010 06:25:55 +0100
Message-ID: <4B972D62.2000101@lodderstedt.net>
Date: Wed, 10 Mar 2010 06:25:54 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: Luke Shepard <lshepard@facebook.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <74caaad21003091623i8b7c343jc3bb806fe327492d@mail.gmail.com> <12ED1FAC-B9C6-47C1-AC01-AB33D110EF8C@gmail.com> <68f4a0e81003091824n5453cf4cp151f313de5fd9c5e@mail.gmail.com> <fd6741651003091916o4c3b3a3ao4dc7871ddf7df23b@mail.gmail.com> <74caaad21003091925x7aeac395uac5ad816c543771e@mail.gmail.com> <fd6741651003091950w682db38ct257caf2dfc8e5855@mail.gmail.com> <9FC57A38-0331-4A9E-B8F2-50BF79D348B0@gmail.com> <2F0FF21C-3D58-4F90-BDAC-EBAC89CCA9E9@facebook.com>
In-Reply-To: <2F0FF21C-3D58-4F90-BDAC-EBAC89CCA9E9@facebook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: 141509
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 05:25:53 -0000

Hi,
> Whoa- are we seriously saying we need more than 255 characters to encode a token? (By the way, that's 10^396 combinations, with letters and numbers.)
>
>    
yes. As I said, in our approach we put permissions and attributes into 
the tokens.
> Having short tokens makes the whole protocol much simpler, more approachable, easy to use for developers. I will push hard to keep them short and sweet.
>    
why make short tokens the protocol simpler?

regards,
Torsten.

v2.23.0 | Report a Bug | By Email