Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-spop-09.txt

John Bradley <ve7jtb@ve7jtb.com> Thu, 05 February 2015 20:58 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 204981A7007 for <oauth@ietfa.amsl.com>; Thu, 5 Feb 2015 12:58:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QUz_bhlQ2g-h for <oauth@ietfa.amsl.com>; Thu, 5 Feb 2015 12:57:59 -0800 (PST)
Received: from mail-qc0-f170.google.com (mail-qc0-f170.google.com [209.85.216.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A59FF1A8791 for <oauth@ietf.org>; Thu, 5 Feb 2015 12:57:56 -0800 (PST)
Received: by mail-qc0-f170.google.com with SMTP id p6so8519163qcv.1 for <oauth@ietf.org>; Thu, 05 Feb 2015 12:57:55 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=1QYk2L1QryUSAPkVKukJZSEo+0FVKkBGKTde/ygiK4k=; b=DozUevWgWUp66F0sbi0kj8UMQpY6p71LwbNGANqZc0QIOT7t8q1jvIbKwTz5kjXrIn 7qQVCpEn36qvykyQcywQlvlVZ45Rm6NsWYN+NlIHjoQFyXKrQzKCtSlNAbUXhJP29YV0 peiSYC7QyPPBBpv4yVSfx9qU3bgk6gYzA9AcaCw4PDcDd3lsqtL4XYy2Ja/jgpLWL8RD G60fW/TCRhwLOLq0HzieDS7KRqEIKNGTQ6eYy0/Hn7U6U3ROKaMJH2TJK+G05qmZrSx2 yYeciWe2ELlHKgRkWAM+/ftqb9rkHWT87ZHPE0VZh2e+7h6Pdz2GMFzb7Ts0fCJjoz8t Y7sg==
X-Gm-Message-State: ALoCoQmbrHf+IR7n9UyKP/dFLojP46Pda+4wqoBkcs7KN6uc3QH4+/kOKOzYGOmX9nQoIfeBJ431
X-Received: by 10.140.32.166 with SMTP id h35mr135069qgh.31.1423169875733; Thu, 05 Feb 2015 12:57:55 -0800 (PST)
Received: from [192.168.8.100] ([181.202.19.170]) by mx.google.com with ESMTPSA id k3sm362343qao.0.2015.02.05.12.57.53 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 05 Feb 2015 12:57:55 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_DE9BC09D-8FAA-4280-B8A7-93A1F8AD7459"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <179064624.461521.1423169661115.JavaMail.yahoo@mail.yahoo.com>
Date: Thu, 5 Feb 2015 17:57:50 -0300
Message-Id: <6E833DEA-546B-458A-871A-7246D908641B@ve7jtb.com>
References: <D2D94A6E-7208-4CCB-9558-3731C1096783@ve7jtb.com> <179064624.461521.1423169661115.JavaMail.yahoo@mail.yahoo.com>
To: Bill Mills <wmills_92105@yahoo.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/px0mK6kKzr1y3AZbJnoiAsMfr_s>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-spop-09.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Feb 2015 20:58:03 -0000

Yes the current draft has 43 to 128 characters unreserved  43*128unreserved  

You can blame me for a lot of things but ABNF is not one of them:)

John B.


> On Feb 5, 2015, at 5:54 PM, Bill Mills <wmills_92105@yahoo.com> wrote:
> 
> Ah, BNF builtin parser error, that's 42*128.  I had parsed that as 128unreserved as the name.
> 
> 
> On Thursday, February 5, 2015 12:47 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
> 
> 
> We are discussing the minimum size,  the max is currently 128 characters.
> 
> 
>> On Feb 5, 2015, at 5:11 PM, Bill Mills <wmills_92105@yahoo.com <mailto:wmills_92105@yahoo.com>> wrote:
>> 
>> Is there a compelling reason to make that length fixed?  
>> 
>> 
>> 
>> On Thursday, February 5, 2015 10:10 AM, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>> 
>> 
>> 22-chars (128 bits) as a lower limit seems just fine for this case.
>> 
>> "ccm" works for me but I don't feel strongly about it either way.
>> 
>> 
>> 
>> On Thu, Feb 5, 2015 at 9:49 AM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
>> Inline
>> 
>> 
>> > On Feb 4, 2015, at 10:43 PM, Manger, James <James.H.Manger@team.telstra.com <mailto:James.H.Manger@team.telstra.com>> wrote:
>> >
>> >>    Title           : Proof Key for Code Exchange by OAuth Public Clients
>> >>      Filename        : draft-ietf-oauth-spop-09.txt
>> >> https://tools.ietf.org/html/draft-ietf-oauth-spop-09 <https://tools.ietf.org/html/draft-ietf-oauth-spop-09>
>> >
>> >
>> > Some nits on this draft:
>> >
>> > 1. 42 chars.
>> > The lower limit of 42 chars for code_verifier: is not mentioned in prose (just the upper limit); is too high (128-bits=22-chars is sufficient); and doesn't correspond to 256-bits (BASE64URL-ENCODE(32 bytes) gives 43 chars, not 42).
>> 
>> In my editors draft I fixed the 43 octet base64url encoding of 32bytes.  I originally had 43 but it got changed at some point
>> 
>> Is there working group feedback on making the lower limit clear in the prose and if so what should it be?  22-chars (128 bits) or 43 char (256 bits)?
>> 
>> 
>> >
>> > 2.
>> > Quotes around "code_verifier" and "code_challenge" in prose are okay, though not really necessary as the underscore is enough to distinguish them as technical labels. Quotes around these terms in formula is bad as it looks like the formula applies to the 13 or 14 chars of the label. The quoting is also used inconsistently.
>> > Suggestion: remove all quotes around "code_verifier" and "code_challenge" in prose and formula.
>> > For example, change ASCII("code_verifier") to ASCII(code_verifier).
>> >
>> 
>> I am going to leave this for a later formatting cleanup at the moment, I need to find a good style compromise that works with rfcmarkup.
>> 
>> > 3.
>> > Two ways to check code_verifier are given in appendix B, whereas only one of these is mentioned in section 4.6.
>> >  SHA256(verifier) === B64-DECODE(challenge)
>> >  B64-ENCODE(SHA256(verifier)) === challenge
>> >
>> > I suggest only mentioning the 2nd (change 4.6 to use the 2nd, and drop the 1st from appendix B). It is simpler to mention only one. It also means base64url-decoding is never done, and doesn't need to be mentioned in the spec.
>> >
>> Yes when I added the example I realized that the normative text was the more complicated way to do the comparison.
>> 
>> I will go back and refactor the main text to talk about the simpler comparison and drop the base64url-decode references.
>> >
>> > 4.
>> > Expand "MTI" to "mandatory to implement".
>> 
>> Done in editors draft.
>> >
>> > P.S. Suggesting code challenge method names not exceed 8 chars to be compact is a bit perverse given the field holding these values has the long name "code_challenge_method" ;)
>> 
>>   On the topic of the parameter  name  "code_challange_method",  James has a point in that it is a bit long.
>> 
>> We could shorten it to "ccm".   If we want to change the name sooner is better than later.
>> 
>> It is that balance between compactness and clear parameter names for developers, that we keep running into.
>> 
>> I don't know that encouraging longer parameter values is the best direction.
>> 
>> Feedback please
>> 
>> John B.
>> >
>> > --
>> > James Manger
>> >
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org <mailto:OAuth@ietf.org>
>> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>> 
> 
> 
>