Does that apply to access tokens, refresh tokens, and authorization codes? I can try squeezing in 22 characters.
EHL > -----Original Message----- > From: Brian Campbell [mailto:[email protected]] > Sent: Wednesday, July 06, 2011 8:46 PM > To: Oleg Gryb > Cc: Eran Hammer-Lahav; OAuth WG > Subject: Re: [OAUTH-WG] Example tokens > > So on the 128-bit note, the examples could probably be a bit shorter, > 22 characters would give somewhat more than 128 bits of randomness. > But to EHL's original question, the examples (currently 7-12 > characters) should probably be longer. > > On Wed, Jul 6, 2011 at 5:27 PM, Oleg Gryb <[email protected]> wrote: > > log2(64^27)=162 bits > > > > Looks good. For comparison, 128-bit entropy for a key in symmetric > > encryption used by SSL is considered as strong. > > I'm assuming that all those 162 bits are generated by a good randomizer. > > > > > > > > > > ----- Original Message ---- > >> From: Brian Campbell <[email protected]> > >> To: Eran Hammer-Lahav <[email protected]> > >> Cc: OAuth WG <[email protected]> > >> Sent: Wed, July 6, 2011 4:06:29 PM > >> Subject: Re: [OAUTH-WG] Example tokens > >> > >> If I've done the math correctly, 27 characters would give you a > >> little more than 20 bytes worth of randomness (assuming your are > >> using random alphanumeric characters or base64url encoded bytes). > >> 20 bytes is something you see as a SHOULD type minimum length in > >> other protocols for random identifiers. Not sure if that's > >> sufficient reasoning but it's what I can come up with. > >> > >> On Wed, Jul 6, 2011 at 4:40 PM, Eran Hammer-Lahav > >> <[email protected]> > > wrote: > >> > Are the tokens used in the examples long enough? I don't want the > >> > examples > >> > to demonstrate poor choice of byte count. > >> > EHL > >> > _______________________________________________ > >> > OAuth mailing list > >> > [email protected] > >> > https://www.ietf.org/mailman/listinfo/oauth > >> > > >> > > >> _______________________________________________ > >> OAuth mailing list > >> [email protected] > >> https://www.ietf.org/mailman/listinfo/oauth > >> > > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
