Brian Campbell <[email protected]> writes: > I notice that code_verifier is defined as "high entropy cryptographic random > string of length less than 128 bytes" [1], which brought a few questions and > comments to mind. So here goes: > > Talking about the length of a string in terms of bytes is always potentially > confusing. Maybe characters would be an easier unit for people like me to wrap > their little brains around?
It depends if it really is characters or bytes. For example there are many multi-byte UTF-8 characters, so if it really is bytes then saying characters is wrong because it could overflow. So let's make sure we know what we're talking about. Historically, if we're talking bytes the IETF often uses the phrase "octets". Would that be less confusing? > Why are we putting a length restriction on the code_verifier anyway? It seems > like it'd be more appropriate to restrict the length of the code_challenge > because that's the thing the AS will have to maintain somehow (store in a DB > or memory or encrypt into the code). Am I missing something here? > > Let me also say that I hadn't looked at this document since its early days in > draft -00 or -01 last summer but I like the changes and how it's been kept > pretty simple for the common use-case while still allowing for crypto agility/ > extension. Nice work! > > [1] http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03#section-3.3 -derek > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH [email protected] PGP key available _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
