IETF Logo Mail Archive

Re: [OAUTH-WG] Question lengths in draft-sakimura-oauth-tcse-03

John Bradley <ve7jtb@ve7jtb.com> Mon, 12 May 2014 21:48 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBE3D1A077F for <oauth@ietfa.amsl.com>; Mon, 12 May 2014 14:48:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Utswhvrb0uF for <oauth@ietfa.amsl.com>; Mon, 12 May 2014 14:48:36 -0700 (PDT)
Received: from mail-ee0-f45.google.com (mail-ee0-f45.google.com [74.125.83.45]) by ietfa.amsl.com (Postfix) with ESMTP id C27E31A077A for <oauth@ietf.org>; Mon, 12 May 2014 14:48:35 -0700 (PDT)
Received: by mail-ee0-f45.google.com with SMTP id d49so5123601eek.4 for <oauth@ietf.org>; Mon, 12 May 2014 14:48:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=bSmTrt5+wiv8PySG+/SdUIFkV6G6tI1RorcWE9nnq8Y=; b=KMJ85aWgRQrq53kg4TKPfIQgvPzOEJ2FafFCP96PBTB06qPlMGKvpRBWnp4Gtqh02g T8VjyHWzjCYk3wg/WR//rDfhJH6sxggaTvhpiSlJG1TA+k6i5XCuPWniVpN9maVTFeuj +suHVpSzjfiEZwlvHUmX6iG/gizhmAre3Z8AyJanD9d42IA9hGiLFOGulPcaiZvYhIzF WFHTIKeF9+6m/ouQp8sJgzzU1qyMg0hCsO/pGNx/OGHGjmkWzbQ7tsYz5xBD28tHhDF2 sEz8p/IQVrDdz3jjG+GrXNkVLxPaudM+0FZfNKbR8mMz5wFw+g+Gb/6txY8dE3YZy/s2 1f6g==
X-Gm-Message-State: ALoCoQk4Vsu7zzXsh0vr8HnUJmxehQGVdtdrXHLNKgQojAt8qKjuaLT7kJQapTHtccVLgwswqKNW
X-Received: by 10.15.63.200 with SMTP id m48mr35166991eex.87.1399931308828; Mon, 12 May 2014 14:48:28 -0700 (PDT)
Received: from [192.168.0.93] ([195.50.165.102]) by mx.google.com with ESMTPSA id 4sm35592999eef.44.2014.05.12.14.48.18 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 12 May 2014 14:48:26 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <sjm4n0uk8be.fsf@mocana.ihtfp.org>
Date: Mon, 12 May 2014 23:48:13 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <21A361B0-4E8F-4DAB-9EEB-D48FBCBDFFED@ve7jtb.com>
References: <CA+k3eCTZOheb0HCetS88EXcP-8LJQrYPRuwVcd4NWaWxUAVO1g@mail.gmail.com> <sjm4n0uk8be.fsf@mocana.ihtfp.org>
To: Derek Atkins <warlord@MIT.EDU>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/wav7LG1aVYEwdZgpUzcwS2qnafo
Cc: oauth <oauth@ietf.org>, Naveen Agarwal <naa@google.com>
Subject: Re: [OAUTH-WG] Question lengths in draft-sakimura-oauth-tcse-03
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 May 2014 21:48:38 -0000

I think octets is more consistent with other JW* and OAuth specs.

The code_challange is the same length as the code_verifyer or is a hash of the code_verifyer so likely smaller than 128octets (43 ish for base64 256 bit)

Limiting the code_verifyer size sets the upper bound for code_challange, unless someone comes up with a really creative code challenge algorithm.

I will talk to nat about changing it to octets when I see him tomorrow.  

John B.

On May 12, 2014, at 11:15 PM, Derek Atkins <warlord@MIT.EDU> wrote:

> Brian Campbell <bcampbell@pingidentity.com> writes:
> 
>> I notice that code_verifier is defined as "high entropy cryptographic random
>> string of length less than 128 bytes"  [1], which brought a few questions and
>> comments to mind. So here goes:
>> 
>> Talking about the length of a string in terms of bytes is always potentially
>> confusing. Maybe characters would be an easier unit for people like me to wrap
>> their little brains around?
> 
> It depends if it really is characters or bytes.  For example there are
> many multi-byte UTF-8 characters, so if it really is bytes then saying
> characters is wrong because it could overflow.  So let's make sure we
> know what we're talking about.  Historically, if we're talking bytes the
> IETF often uses the phrase "octets".  Would that be less confusing?
> 
>> Why are we putting a length restriction on the code_verifier anyway? It seems
>> like it'd be more appropriate to restrict the length of the code_challenge
>> because that's the thing the AS will have to maintain somehow (store in a DB
>> or memory or encrypt into the code). Am I missing something here?
>> 
>> Let me also say that I hadn't looked at this document since its early days in
>> draft -00 or -01 last summer but I like the changes and how it's been kept
>> pretty simple for the common use-case while still allowing for crypto agility/
>> extension. Nice work!
>> 
>> [1] http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03#section-3.3
> 
> -derek
> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> -- 
>       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>       Member, MIT Student Information Processing Board  (SIPB)
>       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>       warlord@MIT.EDU                        PGP key available

v2.23.0 | Report a Bug | By Email