...@ve7jtb.com wrote:
From: John Bradley ve7...@ve7jtb.com
Subject: Re: [OAUTH-WG] OAuth token entropy
To: o...@gryb.info
Cc: oauth oauth@ietf.org
Date: Friday, November 2, 2012, 5:40 PM
The change we did to the last ish draft of OAuth to have the client send its
client ID to the token endpoint even
Can somebody please provide clarification for this:
http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-05#section-5.1.4.2.25.1.4.2.2.
High entropy of secrets...
The probability of any two Authorization Code
values being identical should be less than or equal to 2^(-128) and
I believe the original text (which was borrowed from elsewhere) had a must
followed by a should rather than two shoulds like that. The text seems to
have drifted a bit in various places but the threat model text should
probably be aligned with what's in core OAuth at
I believe the IESG wanted a higher level of entropy. It looks like the text may
have gotten mangled along the way. Torsten do you recall?
Phil
@independentid
www.independentid.com
phil.h...@oracle.com
On 2012-11-02, at 11:19 AM, Brian Campbell wrote:
I believe the original text (which
wrote:
From: Brian Campbell bcampb...@pingidentity.com
Subject: Re: [OAUTH-WG] OAuth token entropy
To: Oleg Gryb o...@gryb.info
Cc: Torsten Lodderstedt tors...@lodderstedt.net, oauth oauth@ietf.org
Date: Friday, November 2, 2012, 2:19 PM
I believe the original text (which was borrowed from elsewhere
to provide clear guidelines for OAuth
implementers, which are many nowadays.
--- On Fri, 11/2/12, Brian Campbell bcampb...@pingidentity.com wrote:
From: Brian Campbell bcampb...@pingidentity.com
Subject: Re: [OAUTH-WG] OAuth token entropy
To: Oleg Gryb o...@gryb.info
Cc: Torsten