Access tokens realistically may be longer as they may have encrypted scopes and
such.
________________________________
From: Eran Hammer-Lahav <[email protected]>
To: Brian Campbell <[email protected]>; Oleg Gryb <[email protected]>
Cc: OAuth WG <[email protected]>
Sent: Wednesday, July 6, 2011 8:53 PM
Subject: Re: [OAUTH-WG] Example tokens
Does that apply to access tokens, refresh tokens, and authorization codes? I
can try squeezing in 22 characters.
EHL
> -----Original Message-----
> From: Brian Campbell [mailto:[email protected]]
> Sent: Wednesday, July 06, 2011 8:46 PM
> To: Oleg Gryb
> Cc: Eran Hammer-Lahav; OAuth WG
> Subject: Re: [OAUTH-WG] Example tokens
>
> So on the 128-bit note, the examples could probably be a bit shorter,
> 22 characters would give somewhat more than 128 bits of randomness.
> But to EHL's original question, the examples (currently 7-12
> characters) should probably be longer.
>
> On Wed, Jul 6, 2011 at 5:27 PM, Oleg Gryb <[email protected]> wrote:
> > log2(64^27)=162 bits
> >
> > Looks good. For comparison, 128-bit entropy for a key in symmetric
> > encryption used by SSL is considered as strong.
> > I'm assuming that all those 162 bits are generated by a good randomizer.
> >
> >
> >
> >
> > ----- Original Message ----
> >> From: Brian Campbell <[email protected]>
> >> To: Eran Hammer-Lahav <[email protected]>
> >> Cc: OAuth WG <[email protected]>
> >> Sent: Wed, July 6, 2011 4:06:29 PM
> >> Subject: Re: [OAUTH-WG] Example tokens
> >>
> >> If I've done the math correctly, 27 characters would give you a
> >> little more than 20 bytes worth of randomness (assuming your are
> >> using random alphanumeric characters or base64url encoded bytes).
> >> 20 bytes is something you see as a SHOULD type minimum length in
> >> other protocols for random identifiers. Not sure if that's
> >> sufficient reasoning but it's what I can come up with.
> >>
> >> On Wed, Jul 6, 2011 at 4:40 PM, Eran Hammer-Lahav
> >> <[email protected]>
> > wrote:
> >> > Are the tokens used in the examples long enough? I don't want the
> >> > examples
> >> > to demonstrate poor choice of byte count.
> >> > EHL
> >> > _______________________________________________
> >> > OAuth mailing list
> >> > [email protected]
> >> > https://www.ietf.org/mailman/listinfo/oauth
> >> >
> >> >
> >> _______________________________________________
> >> OAuth mailing list
> >> [email protected]
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
