IETF Logo Mail Archive

Re: [OAUTH-WG] Defining a maximum token length?

Paul Lindner <lindner@inuus.com> Wed, 10 March 2010 22:47 UTC

Return-Path: <lindner@inuus.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D11393A68B2 for <oauth@core3.amsl.com>; Wed, 10 Mar 2010 14:47:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cuu-C5m3sl7N for <oauth@core3.amsl.com>; Wed, 10 Mar 2010 14:47:40 -0800 (PST)
Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by core3.amsl.com (Postfix) with ESMTP id 672FC3A6819 for <oauth@ietf.org>; Wed, 10 Mar 2010 14:47:40 -0800 (PST)
Received: by pwj8 with SMTP id 8so48651pwj.31 for <oauth@ietf.org>; Wed, 10 Mar 2010 14:47:43 -0800 (PST)
MIME-Version: 1.0
Received: by 10.143.21.40 with SMTP id y40mr810171wfi.348.1268261262947; Wed, 10 Mar 2010 14:47:42 -0800 (PST)
In-Reply-To: <C280886E-38E9-4328-AFBD-DCC805B6C0C2@jkemp.net>
References: <fd6741651003091550t5a464496r57aae9a60c516599@mail.gmail.com> <0EC5832F-DE91-437F-96FE-87638A2BCF16@jkemp.net> <4B97C5F9.1020005@sipgate.de> <0693DA9D-980A-4CDD-87EF-12F96D5E8526@jkemp.net> <DB9C8A57-DC10-464C-9E6B-2BEBD0528232@inuus.com> <C280886E-38E9-4328-AFBD-DCC805B6C0C2@jkemp.net>
Date: Wed, 10 Mar 2010 14:47:42 -0800
Message-ID: <b71cdca91003101447p2ea772b7r73117c2d3f937377@mail.gmail.com>
From: Paul Lindner <lindner@inuus.com>
To: John Kemp <john@jkemp.net>
Content-Type: multipart/alternative; boundary="00504502c5a30f749b04817a16eb"
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Defining a maximum token length?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2010 22:47:41 -0000

RFC 2822 <http://www.rfc-editor.org/rfc/rfc2822.txt> provides an apropos
example in sections 2.1.1:

There are two limits that this standard places on the number of
characters in a line. Each line of characters MUST be no more than
998 characters, and SHOULD be no more than 78 characters, excluding
the CRLF.


RFC 2821 <http://www.rfc-editor.org/rfc/rfc2821.txt> has a whole section on
size limits in section 5.4.3.1.

Good reading....

OAuth  has it's own transport related issues, so our MUST limit would
probably be determined by HTTP or other transport considerations.  As a
community we can hopefully come to an agreement on what SHOULD value makes
sense...

I also suggest that error handling around this condition (and everything
else) be nailed down so things don't just break in mysterious ways.
 Remember to SMTP a 500 error is 'line too long'..

On Wed, Mar 10, 2010 at 2:23 PM, John Kemp <john@jkemp.net> wrote:

> On Mar 10, 2010, at 3:47 PM, Paul Lindner wrote:
>
> > Standards have size limits to overcome operational issues all the time.
>
> Standards usually standardize on the things necessary for interoperability,
> and token size isn't a necessity for interoperability unless we make it one.
> No-one has explained the benefit of doing that yet.
>
> >  For an extreme example look at the backflips that MIME goes through to
> insure that mail can be delivered by even the most hostile relay.
>  (Including systems using EBCDIC, and systems that mangle payloads!)
> >
> > If there are no bounds on the size of a token the end result is that some
> parts of the protocol move from MAY to MUST.  For example, many
> firewall/proxy services in the wild will truncate URLs and even HTTP headers
>  much shorter than the 4k normally assumed.    Ergo, POST support is now a
> MUST.
>
> And in environments without such intermediaries, tokens of much larger
> sizes may be sent without problems.
>
> I agree that implementation considerations such as URL length and so on may
> be relevant in some environments, but I would oppose some mandatory limit in
> OAuth on token size.
>
> It's fine, however, to say that if we rely on HTTP as a substrate that we
> should be governed by any relevant and documented standard HTTP (or other
> relevant specifications) limits, and provide implementation advice to
> suggest that in some environments where implementations don't follow the
> standards, URLs may be truncated by *some implementations* (for example).
>
> Regards,
>
> - johnk
>
> >
> > On Mar 10, 2010, at 8:30 AM, John Kemp wrote:
> >
> >> On Mar 10, 2010, at 11:16 AM, Moritz Maisel wrote:
> >>
> >>> On 03/10/2010 04:42 PM, John Kemp wrote:
> >>>> One reason I can imagine is to make it possible to encode information
> into the token itself so that the token can be "self-contained" (mentioned
> also by others on this list).
> >>>>
> >>>
> >>> Though thats an interesting option, compatibility of implementations
> >>> might be easier to achieve by strict specifications like "maximum of
> 256
> >>> characters".
> >>
> >> Could you explain why you need to standardize a maximum token length, or
> why you would want to standardize on implementations of a token store rather
> than a token-exchange protocol here?
> >>
> >>>
> >>> Just to get an idea about the situation: Is the mentioned
> >>> "self-contained token" a common scenario / popular demand that needs to
> >>> be covered?
> >>
> >> Yes it is. Several people on this list have already mentioned it.
> >>
> >> Regards,
> >>
> >> - johnk
> >>
> >>>
> >>> Regards,
> >>> Moritz
> >>>
> >>> --
> >>> sipgate GmbH - Gladbacher Str. 74 - 40219 Düsseldorf
> >>> HRB Düsseldorf 39841 - Geschäftsführer: Thilo Salmon, Tim Mois
> >>> Steuernummer: 106/5724/7147, Umsatzsteuer-ID: DE219349391
> >>>
> >>> www.sipgate.de - www.sipgate.at - www.sipgate.co.uk
> >>>
> >>> _______________________________________________
> >>> OAuth mailing list
> >>> OAuth@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >
>
>

v2.23.0 | Report a Bug | By Email