RE new text in Draft 23
http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-10.10
Generated tokens and other credentials not intended for handling by
end-users MUST be constructed from a cryptographically strong random
or pseudo-random number sequence ([RFC1750]) generated by the
authorization server.
Given that many implementations may elect to use signed tokens, such as SAML or
JWT (JOSE) this should not be a MUST.
Giving people sensible defaults such as the probability of an attacker guessing
a valid access token for the protected resource should be less than 2^(-128).
The probability of generating hash colisions randomly is a odd metric,
2^(-128) for a SHA256 as I recall.
Many factors play into what is secure, token lifetime etc.
I don't mind some reasonable defaults but adding a requirement for unstructured
tokens is a bit much.
Regards
John B.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf