RE new text in Draft 23 http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-10.10 Generated tokens and other credentials not intended for handling by end-users MUST be constructed from a cryptographically strong random or pseudo-random number sequence ([RFC1750]) generated by the authorization server. Given that many implementations may elect to use signed tokens, such as SAML or JWT (JOSE) this should not be a MUST. Giving people sensible defaults such as the probability of an attacker guessing a valid access token for the protected resource should be less than 2^(-128). The probability of generating hash colisions randomly is a odd metric, 2^(-128) for a SHA256 as I recall. Many factors play into what is secure, token lifetime etc. I don't mind some reasonable defaults but adding a requirement for unstructured tokens is a bit much. Regards John B.
<<attachment: smime.p7s>>
_______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf