I believe the IESG wanted a higher level of entropy. It looks like the text may have gotten mangled along the way. Torsten do you recall?
Phil @independentid www.independentid.com [email protected] On 2012-11-02, at 11:19 AM, Brian Campbell wrote: > I believe the original text (which was borrowed from elsewhere) had a must > followed by a should rather than two shoulds like that. The text seems to > have drifted a bit in various places but the threat model text should > probably be aligned with what's in core OAuth at > http://tools.ietf.org/html/rfc6749#section-10.10 > > > On Fri, Nov 2, 2012 at 10:16 AM, Oleg Gryb <[email protected]> wrote: > Can somebody please provide clarification for this: > > > > > http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-05#section-5.1.4.2.2 > > > > 5.1.4.2.2. High entropy of secrets > > ... > The probability of any two Authorization Code > values being identical should be less than or equal to 2^(-128) and > should be less than or equal to 2^(-160). > > > Is there any reason why we have two inclusive conditions in this statement or > is it a typo and you meant something else? > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
