Re: [OAUTH-WG] Defining a maximum token length?
Paul Lindner <lindner@inuus.com> Wed, 10 March 2010 20:47 UTC
Return-Path: <lindner@inuus.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 498FE3A6996 for <oauth@core3.amsl.com>; Wed, 10 Mar 2010 12:47:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.98
X-Spam-Level:
X-Spam-Status: No, score=-1.98 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_SORBS_WEB=0.619]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YFmGMZyXy1bN for <oauth@core3.amsl.com>; Wed, 10 Mar 2010 12:47:32 -0800 (PST)
Received: from mail-fx0-f213.google.com (mail-fx0-f213.google.com [209.85.220.213]) by core3.amsl.com (Postfix) with ESMTP id 394833A694F for <oauth@ietf.org>; Wed, 10 Mar 2010 12:47:31 -0800 (PST)
Received: by fxm5 with SMTP id 5so3074706fxm.29 for <oauth@ietf.org>; Wed, 10 Mar 2010 12:47:33 -0800 (PST)
Received: by 10.103.79.19 with SMTP id g19mr1093939mul.75.1268254052677; Wed, 10 Mar 2010 12:47:32 -0800 (PST)
Received: from [172.16.27.141] (dagmar.corp.linkedin.com [69.28.149.29]) by mx.google.com with ESMTPS id n10sm21441713mue.12.2010.03.10.12.47.29 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 10 Mar 2010 12:47:31 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="iso-8859-1"
From: Paul Lindner <lindner@inuus.com>
In-Reply-To: <0693DA9D-980A-4CDD-87EF-12F96D5E8526@jkemp.net>
Date: Wed, 10 Mar 2010 12:47:27 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <DB9C8A57-DC10-464C-9E6B-2BEBD0528232@inuus.com>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <0EC5832F-DE91-437F-96FE-87638A2BCF16@jkemp.net> <4B97C5F9.1020005@sipgate.de> <0693DA9D-980A-4CDD-87EF-12F96D5E8526@jkemp.net>
To: John Kemp <john@jkemp.net>
X-Mailer: Apple Mail (2.1077)
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 20:47:33 -0000
Standards have size limits to overcome operational issues all the time. For an extreme example look at the backflips that MIME goes through to insure that mail can be delivered by even the most hostile relay. (Including systems using EBCDIC, and systems that mangle payloads!) If there are no bounds on the size of a token the end result is that some parts of the protocol move from MAY to MUST. For example, many firewall/proxy services in the wild will truncate URLs and even HTTP headers much shorter than the 4k normally assumed. Ergo, POST support is now a MUST. On Mar 10, 2010, at 8:30 AM, John Kemp wrote: > On Mar 10, 2010, at 11:16 AM, Moritz Maisel wrote: > >> On 03/10/2010 04:42 PM, John Kemp wrote: >>> One reason I can imagine is to make it possible to encode information into the token itself so that the token can be "self-contained" (mentioned also by others on this list). >>> >> >> Though thats an interesting option, compatibility of implementations >> might be easier to achieve by strict specifications like "maximum of 256 >> characters". > > Could you explain why you need to standardize a maximum token length, or why you would want to standardize on implementations of a token store rather than a token-exchange protocol here? > >> >> Just to get an idea about the situation: Is the mentioned >> "self-contained token" a common scenario / popular demand that needs to >> be covered? > > Yes it is. Several people on this list have already mentioned it. > > Regards, > > - johnk > >> >> Regards, >> Moritz >> >> -- >> sipgate GmbH - Gladbacher Str. 74 - 40219 Düsseldorf >> HRB Düsseldorf 39841 - Geschäftsführer: Thilo Salmon, Tim Mois >> Steuernummer: 106/5724/7147, Umsatzsteuer-ID: DE219349391 >> >> www.sipgate.de - www.sipgate.at - www.sipgate.co.uk >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Chuck Mortimore
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Ethan Jewett
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? David Recordon
- Re: [OAUTH-WG] Defining a maximum token length? Dick Hardt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? David Waite
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Justin Smith
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Moritz Maisel
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Paul Lindner
- Re: [OAUTH-WG] Defining a maximum token length? jbemmel
- Re: [OAUTH-WG] Defining a maximum token length? Marius Scurtescu
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard
- Re: [OAUTH-WG] Defining a maximum token length? Brian Eaton
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? Torsten Lodderstedt
- Re: [OAUTH-WG] Defining a maximum token length? John Kemp
- Re: [OAUTH-WG] Defining a maximum token length? Naitik Shah
- Re: [OAUTH-WG] Defining a maximum token length? Anthony Nadalin
- Re: [OAUTH-WG] Defining a maximum token length? Eliot Lear
- Re: [OAUTH-WG] Defining a maximum token length? Allen Tom
- Re: [OAUTH-WG] Defining a maximum token length? Eran Hammer-Lahav
- Re: [OAUTH-WG] Defining a maximum token length? Luke Shepard