So on the 128-bit note, the examples could probably be a bit shorter, 22 characters would give somewhat more than 128 bits of randomness. But to EHL's original question, the examples (currently 7-12 characters) should probably be longer.
On Wed, Jul 6, 2011 at 5:27 PM, Oleg Gryb <oleg_g...@yahoo.com> wrote: > log2(64^27)=162 bits > > Looks good. For comparison, 128-bit entropy for a key in symmetric encryption > used by SSL is considered as strong. > I'm assuming that all those 162 bits are generated by a good randomizer. > > > > > ----- Original Message ---- >> From: Brian Campbell <bcampb...@pingidentity.com> >> To: Eran Hammer-Lahav <e...@hueniverse.com> >> Cc: OAuth WG <oauth@ietf.org> >> Sent: Wed, July 6, 2011 4:06:29 PM >> Subject: Re: [OAUTH-WG] Example tokens >> >> If I've done the math correctly, 27 characters would give you a little >> more than 20 bytes worth of randomness (assuming your are using random >> alphanumeric characters or base64url encoded bytes). 20 bytes is >> something you see as a SHOULD type minimum length in other protocols >> for random identifiers. Not sure if that's sufficient reasoning but >> it's what I can come up with. >> >> On Wed, Jul 6, 2011 at 4:40 PM, Eran Hammer-Lahav <e...@hueniverse.com> > wrote: >> > Are the tokens used in the examples long enough? I don't want the examples >> > to demonstrate poor choice of byte count. >> > EHL >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> > >> > >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
