I believe the original text (which was borrowed from elsewhere) had a must followed by a should rather than two shoulds like that. The text seems to have drifted a bit in various places but the threat model text should probably be aligned with what's in core OAuth at http://tools.ietf.org/html/rfc6749#section-10.10
On Fri, Nov 2, 2012 at 10:16 AM, Oleg Gryb <oleg_g...@yahoo.com> wrote: > Can somebody please provide clarification for this: > > > <http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-05#section-5.1.4.2.2> > > <http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-05#section-5.1.4.2.2>http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-05#section-5.1.4.2.25.1.4.2.2 > > <http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-05#section-5.1.4.2.2>. > High entropy of secrets... > The probability of any two Authorization Code > values being identical should be less than or equal to 2^(-128) and > should be less than or equal to 2^(-160). > > > > Is there any reason why we have two inclusive conditions in this statement > or is it a typo and you meant something else? > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth