Yes, I think it would apply to all three (in cases where the value is some reference). I feel like a refresh token should be a little longer but I don't know if that feeling would actually hold up when doing a real threat model analysis.
On Wed, Jul 6, 2011 at 9:53 PM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > Does that apply to access tokens, refresh tokens, and authorization codes? I > can try squeezing in 22 characters. > > EHL > >> -----Original Message----- >> From: Brian Campbell [mailto:bcampb...@pingidentity.com] >> Sent: Wednesday, July 06, 2011 8:46 PM >> To: Oleg Gryb >> Cc: Eran Hammer-Lahav; OAuth WG >> Subject: Re: [OAUTH-WG] Example tokens >> >> So on the 128-bit note, the examples could probably be a bit shorter, >> 22 characters would give somewhat more than 128 bits of randomness. >> But to EHL's original question, the examples (currently 7-12 >> characters) should probably be longer. >> >> On Wed, Jul 6, 2011 at 5:27 PM, Oleg Gryb <oleg_g...@yahoo.com> wrote: >> > log2(64^27)=162 bits >> > >> > Looks good. For comparison, 128-bit entropy for a key in symmetric >> > encryption used by SSL is considered as strong. >> > I'm assuming that all those 162 bits are generated by a good randomizer. >> > >> > >> > >> > >> > ----- Original Message ---- >> >> From: Brian Campbell <bcampb...@pingidentity.com> >> >> To: Eran Hammer-Lahav <e...@hueniverse.com> >> >> Cc: OAuth WG <oauth@ietf.org> >> >> Sent: Wed, July 6, 2011 4:06:29 PM >> >> Subject: Re: [OAUTH-WG] Example tokens >> >> >> >> If I've done the math correctly, 27 characters would give you a >> >> little more than 20 bytes worth of randomness (assuming your are >> >> using random alphanumeric characters or base64url encoded bytes). >> >> 20 bytes is something you see as a SHOULD type minimum length in >> >> other protocols for random identifiers. Not sure if that's >> >> sufficient reasoning but it's what I can come up with. >> >> >> >> On Wed, Jul 6, 2011 at 4:40 PM, Eran Hammer-Lahav >> >> <e...@hueniverse.com> >> > wrote: >> >> > Are the tokens used in the examples long enough? I don't want the >> >> > examples >> >> > to demonstrate poor choice of byte count. >> >> > EHL >> >> > _______________________________________________ >> >> > OAuth mailing list >> >> > OAuth@ietf.org >> >> > https://www.ietf.org/mailman/listinfo/oauth >> >> > >> >> > >> >> _______________________________________________ >> >> OAuth mailing list >> >> OAuth@ietf.org >> >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> > > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
