Hi Nat, John, Naveen, thanks a lot for your work on the document.
I still need responses to this mail to complete the shepherd writeup: http://www.ietf.org/mail-archive/web/oauth/current/msg14100.html I definitely need the IPR confirmation. It would also be helpful to have someone who implemented the specification as it currently is. I asked Brian and Thorsten for clarification regarding their statements that they implemented earlier versions of the spec. As a final remark I still believe that the text regarding the randomness is still a bit inconsistent. Here are two examples: 1) In the Security Consideration you write that "The security model relies on the fact that the code verifier is not learned or guessed by the attacker. It is vitally important to adhere to this principle. " 2) In Section 4.1 you, however, write: "NOTE: code verifier SHOULD have enough entropy to make it impractical to guess the value. It is RECOMMENDED that the output of a suitable random number generator be used to create a 32-octet sequence." There is clearly a long way from a SHOULD have enough entropy to the text in the security consideration section where you ask for 32 bytes entropy. It is also not clear why you ask for 32 bytes of entropy in particular. Ciao Hannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
