Hi John, I am fine with the plain vs. SHA256 concept and I understand the reasoning behind the two. Having the same for both types is also OK for me.
My question about the 32 bytes entropy was based on curiosity. SHA256 is a function that takes an arbitrary length input and produces an output with 256 bits. The 256bit output length does not mean that you have put give it 256bits randomness as input. If the group thinks that this is a reasonable value (and not too big) then I am fine with it as well. Ciao Hannes On 02/18/2015 05:42 AM, John Bradley wrote: > We have discussed on the list making allowing the entropy for plain to be > smaller. > > 32bytes was selected as a good value for S256. > > The reason for S256 vs plain is that you are assuming an attacker is going to > intercept the request, and thus you want to have enough entropy to prevent > offline brute force. > > For plain you are assuming that the attacker can't intercept the request, and > if they do more entropy won't help you. > > In the plain case you are only protecting against a on line guess for a > single use token. That could safely be much lower entropy as it is not > protecting against off-line brute force. > 128bits would be more than enough in that case. I left it as 256bits for > both to not introduce more options and not confuse people about why plain > needs less entropy than S256. > > What is the WG feeling should we recommend different minimum values for each > of the transforms? > > John B. > >> On Feb 17, 2015, at 8:56 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net> >> wrote: >> >> Hi Nat, John, Naveen, >> >> thanks a lot for your work on the document. >> >> I still need responses to this mail to complete the shepherd writeup: >> http://www.ietf.org/mail-archive/web/oauth/current/msg14100.html >> >> I definitely need the IPR confirmation. >> >> It would also be helpful to have someone who implemented the >> specification as it currently is. I asked Brian and Thorsten for >> clarification regarding their statements that they implemented earlier >> versions of the spec. >> >> As a final remark I still believe that the text regarding the randomness >> is still a bit inconsistent. Here are two examples: >> >> 1) In the Security Consideration you write that "The security model >> relies on the fact that the code verifier is not learned or guessed by >> the attacker. It is vitally important to adhere to this principle. " >> >> 2) In Section 4.1 you, however, write: "NOTE: code verifier SHOULD have >> enough entropy to make it impractical to guess the value. It is >> RECOMMENDED that the output of a suitable random number generator be >> used to create a 32-octet sequence." >> >> There is clearly a long way from a SHOULD have enough entropy to the >> text in the security consideration section where you ask for 32 bytes >> entropy. >> >> It is also not clear why you ask for 32 bytes of entropy in particular. >> >> Ciao >> Hannes >> >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
