IETF Logo Mail Archive

Re: [OAUTH-WG] SPOP - code verifier requirements

Sergey Beryozkin <sberyozkin@gmail.com> Wed, 15 October 2014 20:12 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 902991A893E for <oauth@ietfa.amsl.com>; Wed, 15 Oct 2014 13:12:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4tf2-YG5EqeJ for <oauth@ietfa.amsl.com>; Wed, 15 Oct 2014 13:12:13 -0700 (PDT)
Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com [IPv6:2a00:1450:400c:c00::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E19EC1A8895 for <oauth@ietf.org>; Wed, 15 Oct 2014 13:12:12 -0700 (PDT)
Received: by mail-wg0-f42.google.com with SMTP id z12so2171861wgg.13 for <oauth@ietf.org>; Wed, 15 Oct 2014 13:12:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=4R7r98/gs6TPxOAHr9SRKLbQKoK7pqDmGzwZ4DL2z5Y=; b=ZOKqb93PVdd82YLBWtZzTapYzAIH1JJ2+HjjtvlSGW199ERRAnbRNUzsnRDTHBb0TI 2FvuV0dd45THKt2hPI1mDEdJyL3idrk09UcHXfNvA8zECVqQjr5ZfkJ1x06QzTtqt8or dTDnROtbKea45r63evF1XeL+vVVPCn5FQp0SRMEKAqYkfatoCY1hAcap9ROWv1mlqGwp /TZPm0ymVPdV8P6R5nXIPTMzKgJBsnipmYXOiQHSfiZlzInxKA1Absc9EfMhaTr3Klv+ v2suKv9i5r/RRnl2vrBHGnYhfp3Sz4uFEK9O2uRRKDnbpFySAFz3ILloWyCqPQJNcqIn LQhw==
X-Received: by 10.194.243.131 with SMTP id wy3mr5166292wjc.129.1413403931483; Wed, 15 Oct 2014 13:12:11 -0700 (PDT)
Received: from [192.168.2.7] ([109.255.231.6]) by mx.google.com with ESMTPSA id o1sm25000254wja.25.2014.10.15.13.12.10 for <oauth@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 Oct 2014 13:12:10 -0700 (PDT)
Message-ID: <543ED519.3080902@gmail.com>
Date: Wed, 15 Oct 2014 21:12:09 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: oauth@ietf.org
References: <20141014182611.dd6598cc163e9c640d4167fd@nri.co.jp> <CA+wnMn9Fs3FsNKN2FP_2c=NbeFepgjJaK=+QE2U8--uaLNvuZQ@mail.gmail.com> <A2C25784-D36C-4783-B541-D1ADF621FCDE@gmail.com> <-1123724406662361791@unknownmsgid>
In-Reply-To: <-1123724406662361791@unknownmsgid>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/noHTttmoFOjFq5XIHCcFTh8_G30
Subject: Re: [OAUTH-WG] SPOP - code verifier requirements
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2014 20:12:14 -0000

Hi, in our project we ship a transformer implementation that assumes 
that a code verifier represents a base64url encoded SHA-256 hash of the 
code challenge

Cheers, Sergey
On 15/10/14 19:48, Chuck Mortimore wrote:
> We're actually debating it internally.   It seems easiest to just encode
> the binary code up front.   Any issue with that?
>
> - cmort
>
> On Oct 15, 2014, at 8:32 AM, Nat Sakimura <sakimura@gmail.com
> <mailto:sakimura@gmail.com>> wrote:
>
>> Thanks.
>>
>> So, to be clear, are you base64url encoding when sending it over the
>> wire or is your code verifier is created by base64url encoding the
>> binary value so that you do not need to encode it when sending it over?
>>
>> =nat via iPhone
>>
>> Oct 16, 2014 00:27、Chuck Mortimore <cmortimore@salesforce.com
>> <mailto:cmortimore@salesforce.com>> のメッセージ:
>>
>>> We went with base64url in our implementation
>>>
>>> On Tue, Oct 14, 2014 at 2:26 AM, Nat Sakimura <n-sakimura@nri.co.jp
>>> <mailto:n-sakimura@nri.co.jp>> wrote:
>>>
>>>     In his mail, Mike asked whether code verifier is
>>>     a value that is sendable without trnasformation
>>>     as a http parameter value, or if it needs to be
>>>     % encoded when it is being sent.
>>>
>>>     We have several options here:
>>>
>>>     1) Require that the code verifier to be a base64url encoded
>>>     string of a binary random value.
>>>
>>>     2) Let code verifier to be a binary string and require it to be
>>>     either % encoded or base64url encoded when it is sent.
>>>     In this case, which encoding should we use?
>>>
>>>     3) require the code verifier to be conform to the following ABNF:
>>>     code_verifier = 16*128unreserved
>>>     unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
>>>
>>>     Which one do you guys prefer?
>>>
>>>     Nat
>>>
>>>     --
>>>     Nat Sakimura (n-sakimura@nri.co.jp <mailto:n-sakimura@nri.co.jp>)
>>>     Nomura Research Institute, Ltd.
>>>
>>>     PLEASE READ:
>>>     The information contained in this e-mail is confidential and
>>>     intended for the named recipient(s) only.
>>>     If you are not an intended recipient of this e-mail, you are
>>>     hereby notified that any review, dissemination, distribution or
>>>     duplication of this message is strictly prohibited. If you have
>>>     received this message in error, please notify the sender
>>>     immediately and delete your copy from your system.
>>>
>>>     _______________________________________________
>>>     OAuth mailing list
>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email