hi. The rev. 23 has a normative change in section 10.10 as:
10.10. Credentials Guessing Attacks [...] Generated tokens and other credentials not intended for handling by end-users MUST be constructed from a cryptographically strong random or pseudo-random number sequence ([RFC1750]) generated by the authorization server. Does this normative requirement only allows pseudo-random number sequence described as in Section 6.3 of RFC1750? Or does it allow something that includes it? I gather that it is the later, but the wording "constructed from" sounds a little vague. It also states: The probability of any two values being identical MUST be less than or equal to 2^(-128) and SHOULD be less than or equal to 2^(-160). It is "the probability that a randomly generated guessed value being identical to the authoritatively generated token or credential value", I suppose. -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
