sounds really good.
+1 for adding this to the authorization code's specification.
Am 15.07.2010 16:22, schrieb Brian Campbell:
I agree it's important but it belong in security considerations or
perhaps somewhere in the definition of the Authorization Code itself?
Either way here's some text that could be used as a starting point. I
borrowed heavily from concepts and language in SAML regarding
artifacts and IDs which bear many similarities (artifacts especially)
to authorization codes.
The Authorization Code value MUST be constructed from
a cryptographically strong random or pseudo-random number
sequence [RFC1750] generated by the Authorization Server.
The probability of any two Authorization Code values being
identical MUST be less than or equal to 2^(-128) and SHOULD
be less than or equal to 2^(-160).
Also perhaps there should be a suggestion or requirement on the
maximum size of the code as well?
-Brian
On Thu, Jul 15, 2010 at 1:23 AM, Igor Faynberg
<igor.faynb...@alcatel-lucent.com> wrote:
An important point, which I think should be captured in the security
consideration section.
Igor
Torsten Lodderstedt wrote:
what about guessing/brute force attacks on the code? Supposed an
authorization server issuing tokens for a client w/o secret. Then the number
of attempts needed to obtain a token issued to that client only depends on
the length and randomness of the code. Should the spec state something about
that?
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
