Re: [OAUTH-WG] SPOP - code verifier requirements
Sergey Beryozkin <sberyozkin@gmail.com> Wed, 15 October 2014 20:12 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 902991A893E for <oauth@ietfa.amsl.com>; Wed, 15 Oct 2014 13:12:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4tf2-YG5EqeJ for <oauth@ietfa.amsl.com>; Wed, 15 Oct 2014 13:12:13 -0700 (PDT)
Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com [IPv6:2a00:1450:400c:c00::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E19EC1A8895 for <oauth@ietf.org>; Wed, 15 Oct 2014 13:12:12 -0700 (PDT)
Received: by mail-wg0-f42.google.com with SMTP id z12so2171861wgg.13 for <oauth@ietf.org>; Wed, 15 Oct 2014 13:12:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=4R7r98/gs6TPxOAHr9SRKLbQKoK7pqDmGzwZ4DL2z5Y=; b=ZOKqb93PVdd82YLBWtZzTapYzAIH1JJ2+HjjtvlSGW199ERRAnbRNUzsnRDTHBb0TI 2FvuV0dd45THKt2hPI1mDEdJyL3idrk09UcHXfNvA8zECVqQjr5ZfkJ1x06QzTtqt8or dTDnROtbKea45r63evF1XeL+vVVPCn5FQp0SRMEKAqYkfatoCY1hAcap9ROWv1mlqGwp /TZPm0ymVPdV8P6R5nXIPTMzKgJBsnipmYXOiQHSfiZlzInxKA1Absc9EfMhaTr3Klv+ v2suKv9i5r/RRnl2vrBHGnYhfp3Sz4uFEK9O2uRRKDnbpFySAFz3ILloWyCqPQJNcqIn LQhw==
X-Received: by 10.194.243.131 with SMTP id wy3mr5166292wjc.129.1413403931483; Wed, 15 Oct 2014 13:12:11 -0700 (PDT)
Received: from [192.168.2.7] ([109.255.231.6]) by mx.google.com with ESMTPSA id o1sm25000254wja.25.2014.10.15.13.12.10 for <oauth@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Oct 2014 13:12:10 -0700 (PDT)
Message-ID: <543ED519.3080902@gmail.com>
Date: Wed, 15 Oct 2014 21:12:09 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: oauth@ietf.org
References: <20141014182611.dd6598cc163e9c640d4167fd@nri.co.jp> <CA+wnMn9Fs3FsNKN2FP_2c=NbeFepgjJaK=+QE2U8--uaLNvuZQ@mail.gmail.com> <A2C25784-D36C-4783-B541-D1ADF621FCDE@gmail.com> <-1123724406662361791@unknownmsgid>
In-Reply-To: <-1123724406662361791@unknownmsgid>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/noHTttmoFOjFq5XIHCcFTh8_G30
Subject: Re: [OAUTH-WG] SPOP - code verifier requirements
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2014 20:12:14 -0000
Hi, in our project we ship a transformer implementation that assumes that a code verifier represents a base64url encoded SHA-256 hash of the code challenge Cheers, Sergey On 15/10/14 19:48, Chuck Mortimore wrote: > We're actually debating it internally. It seems easiest to just encode > the binary code up front. Any issue with that? > > - cmort > > On Oct 15, 2014, at 8:32 AM, Nat Sakimura <sakimura@gmail.com > <mailto:sakimura@gmail.com>> wrote: > >> Thanks. >> >> So, to be clear, are you base64url encoding when sending it over the >> wire or is your code verifier is created by base64url encoding the >> binary value so that you do not need to encode it when sending it over? >> >> =nat via iPhone >> >> Oct 16, 2014 00:27、Chuck Mortimore <cmortimore@salesforce.com >> <mailto:cmortimore@salesforce.com>> のメッセージ: >> >>> We went with base64url in our implementation >>> >>> On Tue, Oct 14, 2014 at 2:26 AM, Nat Sakimura <n-sakimura@nri.co.jp >>> <mailto:n-sakimura@nri.co.jp>> wrote: >>> >>> In his mail, Mike asked whether code verifier is >>> a value that is sendable without trnasformation >>> as a http parameter value, or if it needs to be >>> % encoded when it is being sent. >>> >>> We have several options here: >>> >>> 1) Require that the code verifier to be a base64url encoded >>> string of a binary random value. >>> >>> 2) Let code verifier to be a binary string and require it to be >>> either % encoded or base64url encoded when it is sent. >>> In this case, which encoding should we use? >>> >>> 3) require the code verifier to be conform to the following ABNF: >>> code_verifier = 16*128unreserved >>> unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" >>> >>> Which one do you guys prefer? >>> >>> Nat >>> >>> -- >>> Nat Sakimura (n-sakimura@nri.co.jp <mailto:n-sakimura@nri.co.jp>) >>> Nomura Research Institute, Ltd. >>> >>> PLEASE READ: >>> The information contained in this e-mail is confidential and >>> intended for the named recipient(s) only. >>> If you are not an intended recipient of this e-mail, you are >>> hereby notified that any review, dissemination, distribution or >>> duplication of this message is strictly prohibited. If you have >>> received this message in error, please notify the sender >>> immediately and delete your copy from your system. >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] SPOP - code verifier requirements Nat Sakimura
- Re: [OAUTH-WG] SPOP - code verifier requirements Nat Sakimura
- Re: [OAUTH-WG] SPOP - code verifier requirements Chuck Mortimore
- Re: [OAUTH-WG] SPOP - code verifier requirements Chuck Mortimore
- Re: [OAUTH-WG] SPOP - code verifier requirements Sergey Beryozkin
- Re: [OAUTH-WG] SPOP - code verifier requirements torsten
- Re: [OAUTH-WG] SPOP - code verifier requirements Brian Campbell
- Re: [OAUTH-WG] SPOP - code verifier requirements Nat Sakimura
- Re: [OAUTH-WG] SPOP - code verifier requirements John Bradley
- Re: [OAUTH-WG] SPOP - code verifier requirements John Bradley
- Re: [OAUTH-WG] SPOP - code verifier requirements Brian Campbell
- Re: [OAUTH-WG] SPOP - code verifier requirements John Bradley