We have discussed on the list making allowing the entropy for plain to be smaller.
32bytes was selected as a good value for S256. The reason for S256 vs plain is that you are assuming an attacker is going to intercept the request, and thus you want to have enough entropy to prevent offline brute force. For plain you are assuming that the attacker can't intercept the request, and if they do more entropy won't help you. In the plain case you are only protecting against a on line guess for a single use token. That could safely be much lower entropy as it is not protecting against off-line brute force. 128bits would be more than enough in that case. I left it as 256bits for both to not introduce more options and not confuse people about why plain needs less entropy than S256. What is the WG feeling should we recommend different minimum values for each of the transforms? John B. > On Feb 17, 2015, at 8:56 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net> > wrote: > > Hi Nat, John, Naveen, > > thanks a lot for your work on the document. > > I still need responses to this mail to complete the shepherd writeup: > http://www.ietf.org/mail-archive/web/oauth/current/msg14100.html > > I definitely need the IPR confirmation. > > It would also be helpful to have someone who implemented the > specification as it currently is. I asked Brian and Thorsten for > clarification regarding their statements that they implemented earlier > versions of the spec. > > As a final remark I still believe that the text regarding the randomness > is still a bit inconsistent. Here are two examples: > > 1) In the Security Consideration you write that "The security model > relies on the fact that the code verifier is not learned or guessed by > the attacker. It is vitally important to adhere to this principle. " > > 2) In Section 4.1 you, however, write: "NOTE: code verifier SHOULD have > enough entropy to make it impractical to guess the value. It is > RECOMMENDED that the output of a suitable random number generator be > used to create a 32-octet sequence." > > There is clearly a long way from a SHOULD have enough entropy to the > text in the security consideration section where you ask for 32 bytes > entropy. > > It is also not clear why you ask for 32 bytes of entropy in particular. > > Ciao > Hannes >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
