Thanks, Brian. "Must" for 128 bits makes perfect sense. 160 bits looks good as a recommended entropy as well.
WG, Please update the doc. It's important to provide clear guidelines for OAuth implementers, which are many nowadays. --- On Fri, 11/2/12, Brian Campbell <bcampb...@pingidentity.com> wrote: From: Brian Campbell <bcampb...@pingidentity.com> Subject: Re: [OAUTH-WG] OAuth token entropy To: "Oleg Gryb" <o...@gryb.info> Cc: "Torsten Lodderstedt" <tors...@lodderstedt.net>, "oauth" <oauth@ietf.org> Date: Friday, November 2, 2012, 2:19 PM I believe the original text (which was borrowed from elsewhere) had a must followed by a should rather than two shoulds like that. The text seems to have drifted a bit in various places but the threat model text should probably be aligned with what's in core OAuth at http://tools.ietf.org/html/rfc6749#section-10.10 On Fri, Nov 2, 2012 at 10:16 AM, Oleg Gryb <oleg_g...@yahoo.com> wrote: Can somebody please provide clarification for this: http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-05#section-5.1.4.2.2 5.1.4.2.2. High entropy of secrets... The probability of any two Authorization Code values being identical should be less than or equal to 2^(-128) and should be less than or equal to 2^(-160). Is there any reason why we have two inclusive conditions in this statement or is it a typo and you meant something else? _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth