Hi Nat,
...
We probably should put some text that gives flexibility
in that respect, such as " or put in place the controls that achieves
equivalent risk mitigation." etc.
One could add this text to nearly any of the guidelines given in Section
10. But how do you assess the equivalence of the respective control?
The intention of the security considerations section was to give clear
guidance even for implementors unfamiliar with security and threat
analysis. We therefore gave simple guidelines without much explanation
of the rationale. I think this will work for most implementations.
Implementors confronted with circumstances which do not allow them to
adhere to the security considerations should create an appropriate
security design based on the threat model and security considerations
document.
regards,
Torsten.
=nat
On Fri, Feb 3, 2012 at 9:37 AM, Igor Faynberg
<igor.faynb...@alcatel-lucent.com> wrote:
Nat,
Your note made me think (as always), so maybe some text clarification is
indeed in order.
I have a slightly different understanding of the items you brought up. RFC
1750 is Informational, and I thought (maybe mistakenly?) that it cannot be
used as a norm in a MUST clause. Therefore, I assumed that the clause
prescribes the use of cryptographically-strong pseudo-random generators but
stopped short of listing them.
The second item, I read as defining the strength, giving the necessary and
desired bounds for a collision probability of two generated values.
Igor
On 2/2/2012 4:25 AM, Nat Sakimura wrote:
hi.
The rev. 23 has a normative change in section 10.10 as:
10.10. Credentials Guessing Attacks
[...]
Generated tokens and other credentials not intended for handling by
end-users MUST be constructed from a cryptographically strong random
or pseudo-random number sequence ([RFC1750]) generated by the
authorization server.
Does this normative requirement only allows pseudo-random number
sequence described as in Section 6.3 of RFC1750?
Or does it allow something that includes it? I gather that it is the later,
but the wording "constructed from" sounds a little vague.
It also states:
The probability of any two values being
identical MUST be less than or equal to 2^(-128) and SHOULD be less
than or equal to 2^(-160).
It is "the probability that a randomly generated guessed value being
identical to
the authoritatively generated token or credential value", I suppose.
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth