Re: [OAUTH-WG] Example tokens

Thu, 07 Jul 2011 06:25:10 -0700 

Access tokens realistically may be longer as they may have encrypted scopes and 
such.



________________________________
From: Eran Hammer-Lahav <e...@hueniverse.com>
To: Brian Campbell <bcampb...@pingidentity.com>; Oleg Gryb <o...@gryb.info>
Cc: OAuth WG <oauth@ietf.org>
Sent: Wednesday, July 6, 2011 8:53 PM
Subject: Re: [OAUTH-WG] Example tokens

Does that apply to access tokens, refresh tokens, and authorization codes? I 
can try squeezing in 22 characters.

EHL

> -----Original Message-----
> From: Brian Campbell [mailto:bcampb...@pingidentity.com]
> Sent: Wednesday, July 06, 2011 8:46 PM
> To: Oleg Gryb
> Cc: Eran Hammer-Lahav; OAuth WG
> Subject: Re: [OAUTH-WG] Example tokens
> 
> So on the 128-bit note, the examples could probably be a bit shorter,
> 22 characters would give somewhat more than 128 bits of randomness.
> But to EHL's original question, the examples (currently 7-12
> characters) should probably be longer.
> 
> On Wed, Jul 6, 2011 at 5:27 PM, Oleg Gryb <oleg_g...@yahoo.com> wrote:
> > log2(64^27)=162 bits
> >
> > Looks good. For comparison, 128-bit entropy for a key in symmetric
> > encryption used by SSL is considered as strong.
> > I'm assuming that all those 162 bits are generated by a good randomizer.
> >
> >
> >
> >
> > ----- Original Message ----
> >> From: Brian Campbell <bcampb...@pingidentity.com>
> >> To: Eran Hammer-Lahav <e...@hueniverse.com>
> >> Cc: OAuth WG <oauth@ietf.org>
> >> Sent: Wed, July 6, 2011 4:06:29 PM
> >> Subject: Re: [OAUTH-WG] Example tokens
> >>
> >> If I've done the math correctly, 27 characters would give you a
> >> little more  than 20 bytes worth of randomness (assuming your are
> >> using  random alphanumeric characters or base64url encoded bytes).
> >> 20 bytes  is something you see as a SHOULD type minimum length in
> >> other  protocols for random identifiers.  Not sure if that's
> >> sufficient  reasoning but it's what I can come up with.
> >>
> >> On Wed, Jul 6, 2011 at  4:40 PM, Eran Hammer-Lahav
> >> <e...@hueniverse.com>
> > wrote:
> >> > Are  the tokens used in the examples long enough? I don't want the
> >> > examples
> >> >  to demonstrate poor choice of byte count.
> >> > EHL
> >> >  _______________________________________________
> >> > OAuth mailing  list
> >> > OAuth@ietf.org
> >> > https://www.ietf.org/mailman/listinfo/oauth
> >> >
> >> >
> >> _______________________________________________
> >> OAuth  mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to