I notice that code_verifier is defined as "high entropy cryptographic random string of length less than 128 bytes" [1], which brought a few questions and comments to mind. So here goes:
Talking about the length of a string in terms of bytes is always potentially confusing. Maybe characters would be an easier unit for people like me to wrap their little brains around? Why are we putting a length restriction on the code_verifier anyway? It seems like it'd be more appropriate to restrict the length of the code_challenge because that's the thing the AS will have to maintain somehow (store in a DB or memory or encrypt into the code). Am I missing something here? Let me also say that I hadn't looked at this document since its early days in draft -00 or -01 last summer but I like the changes and how it's been kept pretty simple for the common use-case while still allowing for crypto agility/extension. Nice work! [1] http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03#section-3.3
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
