New text: The probability of an attacker guessing generated tokens (and other credentials not intended for handling by end-users) MUST be less than or equal to 2^(-128) and SHOULD be less than or equal to 2^(-160). Removed reference to RFC 1750. EH > -----Original Message----- > From: John Bradley [mailto:ve7jtb@xxxxxxxxxx] > Sent: Monday, February 06, 2012 5:07 PM > To: Eran Hammer > Cc: Julian Reschke; ietf@xxxxxxxx; The IESG; oauth@xxxxxxxx > Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The > OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard > > RE new text in Draft 23 > > http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-10.10 > > Generated tokens and other credentials not intended for handling by > end-users MUST be constructed from a cryptographically strong random > or pseudo-random number sequence ([RFC1750]) generated by the > authorization server. > > Given that many implementations may elect to use signed tokens, such as > SAML or JWT (JOSE) this should not be a MUST. > > Giving people sensible defaults such as the probability of an attacker > guessing a valid access token for the protected resource should be less than > 2^(-128). > > The probability of generating hash colisions randomly is a odd metric, 2^(- > 128) for a SHA256 as I recall. > Many factors play into what is secure, token lifetime etc. > > I don't mind some reasonable defaults but adding a requirement for > unstructured tokens is a bit much. > > Regards > John B. > > _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf