Yeah, it does depend on what it really is and why the length needs to be restricted. That's what the other questions were really about.
Octets would be better than bytes, if that's what's intended. On Mon, May 12, 2014 at 3:15 PM, Derek Atkins <[email protected]> wrote: > Brian Campbell <[email protected]> writes: > > > I notice that code_verifier is defined as "high entropy cryptographic > random > > string of length less than 128 bytes" [1], which brought a few > questions and > > comments to mind. So here goes: > > > > Talking about the length of a string in terms of bytes is always > potentially > > confusing. Maybe characters would be an easier unit for people like me > to wrap > > their little brains around? > > It depends if it really is characters or bytes. For example there are > many multi-byte UTF-8 characters, so if it really is bytes then saying > characters is wrong because it could overflow. So let's make sure we > know what we're talking about. Historically, if we're talking bytes the > IETF often uses the phrase "octets". Would that be less confusing? > > > Why are we putting a length restriction on the code_verifier anyway? It > seems > > like it'd be more appropriate to restrict the length of the > code_challenge > > because that's the thing the AS will have to maintain somehow (store in > a DB > > or memory or encrypt into the code). Am I missing something here? > > > > Let me also say that I hadn't looked at this document since its early > days in > > draft -00 or -01 last summer but I like the changes and how it's been > kept > > pretty simple for the common use-case while still allowing for crypto > agility/ > > extension. Nice work! > > > > [1] http://tools.ietf.org/html/draft-sakimura-oauth-tcse-03#section-3.3 > > -derek > > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > > -- > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory > Member, MIT Student Information Processing Board (SIPB) > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH > [email protected] PGP key available > -- [image: Ping Identity logo] <https://www.pingidentity.com/> Brian Campbell Portfolio Architect @ [email protected] [image: phone] +1 720.317.2061 Connect with us… [image: twitter logo] <https://twitter.com/pingidentity> [image: youtube logo] <https://www.youtube.com/user/PingIdentityTV> [image: LinkedIn logo] <https://www.linkedin.com/company/21870> [image: Facebook logo] <https://www.facebook.com/pingidentitypage> [image: Google+ logo]<https://plus.google.com/u/0/114266977739397708540> [image: slideshare logo] <http://www.slideshare.net/PingIdentity> [image: flipboard logo] <http://flip.it/vjBF7> [image: rss feed icon]<https://www.pingidentity.com/blogs/> [image: Register for Cloud Identity Summit 2014 | Modern Identity Revolution | 19–23 July, 2014 | Monterey, CA]<https://www.cloudidentitysummit.com/>
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
