log2(64^27)=162 bits Looks good. For comparison, 128-bit entropy for a key in symmetric encryption used by SSL is considered as strong. I'm assuming that all those 162 bits are generated by a good randomizer.
----- Original Message ---- > From: Brian Campbell <bcampb...@pingidentity.com> > To: Eran Hammer-Lahav <e...@hueniverse.com> > Cc: OAuth WG <oauth@ietf.org> > Sent: Wed, July 6, 2011 4:06:29 PM > Subject: Re: [OAUTH-WG] Example tokens > > If I've done the math correctly, 27 characters would give you a little > more than 20 bytes worth of randomness (assuming your are using random > alphanumeric characters or base64url encoded bytes). 20 bytes is > something you see as a SHOULD type minimum length in other protocols > for random identifiers. Not sure if that's sufficient reasoning but > it's what I can come up with. > > On Wed, Jul 6, 2011 at 4:40 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > > Are the tokens used in the examples long enough? I don't want the examples > > to demonstrate poor choice of byte count. > > EHL > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
