Re: [OAUTH-WG] PKCE: SHA256(WAT?)

2015-01-30 Thread Brian Campbell
But, while it may be clear to you, what I'm saying here is that it's not clear to a reader/implementer. Somehow the conversion from a character string to an octet string needs to be clearly and unambiguously stated. It doesn't have to be the text I suggested but it's not sufficient as it is now.

Re: [OAUTH-WG] PKCE: SHA256(WAT?)

2015-01-30 Thread John Bradley
Campbell Cc: oauth; Naveen Agarwal Subject: Re: [OAUTH-WG] PKCE: SHA256(WAT?) Have a look at the latest version I added OCTETS(STRING) to show the conversion. ASCII(STRING) seemed more confusing by drawing character encoding back in. I was tempted to call it a octet array

Re: [OAUTH-WG] PKCE: SHA256(WAT?)

2015-01-30 Thread Brian Campbell
*To:* Brian Campbell *Cc:* oauth; Naveen Agarwal *Subject:* Re: [OAUTH-WG] PKCE: SHA256(WAT?) Have a look at the latest version I added OCTETS(STRING) to show the conversion. ASCII(STRING) seemed more confusing by drawing character encoding back in. I was tempted to call it a octet

Re: [OAUTH-WG] PKCE: SHA256(WAT?)

2015-01-30 Thread John Bradley
Bradley Sent: Friday, January 30, 2015 11:33 AM To: Brian Campbell Cc: oauth; Naveen Agarwal Subject: Re: [OAUTH-WG] PKCE: SHA256(WAT?) Have a look at the latest version I added OCTETS(STRING) to show the conversion. ASCII(STRING) seemed more confusing by drawing character

Re: [OAUTH-WG] PKCE: SHA256(WAT?)

2015-01-30 Thread John Bradley
Have a look at the latest version I added OCTETS(STRING) to show the conversion. ASCII(STRING) seemed more confusing by drawing character encoding back in. I was tempted to call it a octet array without the terminating NULL of STRING but didn’t want to introduce array. Let me know what you

Re: [OAUTH-WG] PKCE: SHA256(WAT?)

2015-01-30 Thread Nat Sakimura
I do not think we need ASCII(). It is quite clear without it, I suppose. In 4.1, I would rather do like: code_verifier = high entropy cryptographic random octet sequence using the url and filename safe Alphabet [A-Z] / [a-z] / [0-9] / - / _ from Sec 5 of RFC 4648 [RFC4648], with length

Re: [OAUTH-WG] PKCE: SHA256(WAT?)

2015-01-30 Thread Brian Campbell
That's definitely an improvement (to me anyway). Checking that the rest of the document uses those notations appropriately, I think, yields a few other changes. And probably begs for the ASCII(STRING) denotes the octets of the ASCII representation of STRING notation/function, or something like

Re: [OAUTH-WG] PKCE: SHA256(WAT?)

2015-01-29 Thread Nat Sakimura
FYI, we are now tracking this issue at: https://bitbucket.org/Nat/oauth-spop/issue/32/clean-up-definitions 2015-01-30 8:15 GMT+09:00 Brian Campbell bcampb...@pingidentity.com: In §2 [1] we've got SHA256(STRING) denotes a SHA2 256bit hash [RFC6234] of STRING. But, in the little cow town