Re: [OAUTH-WG] Example tokens

Thu, 07 Jul 2011 06:35:01 -0700 

+1
If the system just needs a random identifier with state maintained on the server, then the current tokens are fine. For those systems that plan to encrypt data in the scopes (or use JWTs) they will be much larger. 

Thanks,
George

On 7/7/11 9:24 AM, William J. Mills wrote:

Access tokens realistically may be longer as they may have encrypted 
scopes and such.


------------------------------------------------------------------------
*From:* Eran Hammer-Lahav <e...@hueniverse.com>

*To:* Brian Campbell <bcampb...@pingidentity.com>; Oleg Gryb 
<o...@gryb.info>

*Cc:* OAuth WG <oauth@ietf.org>
*Sent:* Wednesday, July 6, 2011 8:53 PM
*Subject:* Re: [OAUTH-WG] Example tokens


Does that apply to access tokens, refresh tokens, and authorization 
codes? I can try squeezing in 22 characters.


EHL

> -----Original Message-----

> From: Brian Campbell [mailto:bcampb...@pingidentity.com 
<mailto:bcampb...@pingidentity.com>]

> Sent: Wednesday, July 06, 2011 8:46 PM
> To: Oleg Gryb
> Cc: Eran Hammer-Lahav; OAuth WG
> Subject: Re: [OAUTH-WG] Example tokens
>
> So on the 128-bit note, the examples could probably be a bit shorter,
> 22 characters would give somewhat more than 128 bits of randomness.
> But to EHL's original question, the examples (currently 7-12
> characters) should probably be longer.
>

> On Wed, Jul 6, 2011 at 5:27 PM, Oleg Gryb <oleg_g...@yahoo.com 
<mailto:oleg_g...@yahoo.com>> wrote:

> > log2(64^27)=162 bits
> >
> > Looks good. For comparison, 128-bit entropy for a key in symmetric
> > encryption used by SSL is considered as strong.

> > I'm assuming that all those 162 bits are generated by a good 
randomizer.

> >
> >
> >
> >
> > ----- Original Message ----

> >> From: Brian Campbell <bcampb...@pingidentity.com 
<mailto:bcampb...@pingidentity.com>>
> >> To: Eran Hammer-Lahav <e...@hueniverse.com 
<mailto:e...@hueniverse.com>>

> >> Cc: OAuth WG <oauth@ietf.org <mailto:oauth@ietf.org>>
> >> Sent: Wed, July 6, 2011 4:06:29 PM
> >> Subject: Re: [OAUTH-WG] Example tokens
> >>
> >> If I've done the math correctly, 27 characters would give you a
> >> little more  than 20 bytes worth of randomness (assuming your are
> >> using  random alphanumeric characters or base64url encoded bytes).
> >> 20 bytes  is something you see as a SHOULD type minimum length in
> >> other  protocols for random identifiers.  Not sure if that's
> >> sufficient  reasoning but it's what I can come up with.
> >>
> >> On Wed, Jul 6, 2011 at  4:40 PM, Eran Hammer-Lahav
> >> <e...@hueniverse.com <mailto:e...@hueniverse.com>>
> > wrote:
> >> > Are  the tokens used in the examples long enough? I don't want the
> >> > examples
> >> >  to demonstrate poor choice of byte count.
> >> > EHL
> >> >  _______________________________________________
> >> > OAuth mailing  list
> >> > OAuth@ietf.org <mailto:OAuth@ietf.org>
> >> > https://www.ietf.org/mailman/listinfo/oauth
> >> >
> >> >
> >> _______________________________________________
> >> OAuth  mailing list
> >> OAuth@ietf.org <mailto:OAuth@ietf.org>
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth






















					Reply via email to