Thanks, Naveen! I will complete my shepherd write-up with this information.
Ciao Hannes On 03/10/2015 07:33 PM, Naveen Agarwal wrote: > > I definitely need the IPR confirmation. > > > > I'm not aware of any IPR related tho this draft. > > > On Tue, Feb 17, 2015 at 8:56 AM, Hannes Tschofenig > <hannes.tschofe...@gmx.net <mailto:hannes.tschofe...@gmx.net>> wrote: > > Hi Nat, John, Naveen, > > thanks a lot for your work on the document. > > I still need responses to this mail to complete the shepherd writeup: > http://www.ietf.org/mail-archive/web/oauth/current/msg14100.html > > I definitely need the IPR confirmation. > > It would also be helpful to have someone who implemented the > specification as it currently is. I asked Brian and Thorsten for > clarification regarding their statements that they implemented earlier > versions of the spec. > > As a final remark I still believe that the text regarding the randomness > is still a bit inconsistent. Here are two examples: > > 1) In the Security Consideration you write that "The security model > relies on the fact that the code verifier is not learned or guessed by > the attacker. It is vitally important to adhere to this principle. " > > 2) In Section 4.1 you, however, write: "NOTE: code verifier SHOULD have > enough entropy to make it impractical to guess the value. It is > RECOMMENDED that the output of a suitable random number generator be > used to create a 32-octet sequence." > > There is clearly a long way from a SHOULD have enough entropy to the > text in the security consideration section where you ask for 32 bytes > entropy. > > It is also not clear why you ask for 32 bytes of entropy in particular. > > Ciao > Hannes > >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
