The following errata report has been submitted for RFC7636, "Proof Key for Code Exchange by OAuth Public Clients".
-------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid6471 -------------------------------------- Type: Technical Reported by: Tom Crossland <[email protected]> Section: 7.1 Original Text ------------- The client SHOULD create a "code_verifier" with a minimum of 256 bits of entropy. This can be done by having a suitable random number generator create a 32-octet sequence. The octet sequence can then be base64url-encoded to produce a 43-octet URL safe string to use as a "code_challenge" that has the required entropy. Corrected Text -------------- The client SHOULD create a "code_verifier" with a minimum of 256 bits of entropy. This can be done by having a suitable random number generator create a 32-octet sequence. The octet sequence can then be base64url-encoded to produce a 43-octet URL safe string to use as a "code_verifier" that has the required entropy. Notes ----- The "32-octet sequence" referenced in the original text seems to be inconsistent with Section 4.1, which states that the minimum length of the code_verifier is 43 characters. It would be consistent by changing "code_challenge" to "code_verifier". Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -------------------------------------- RFC7636 (draft-ietf-oauth-spop-15) -------------------------------------- Title : Proof Key for Code Exchange by OAuth Public Clients Publication Date : September 2015 Author(s) : N. Sakimura, Ed., J. Bradley, N. Agarwal Category : PROPOSED STANDARD Source : Web Authorization Protocol Area : Security Stream : IETF Verifying Party : IESG _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
