[Openid-specs-mobile-profile] Issue #142: testability of non-guessability requirements (openid/mobile)
Joseph Heenan
issues-reply at bitbucket.org
Fri Dec 14 15:41:04 UTC 2018
New issue 142: testability of non-guessability requirements
https://bitbucket.org/openid/mobile/issues/142/testability-of-non-guessability
Joseph Heenan:
The CIBA spec contains phrasing like twice:
> contain sufficient entropy (at least 128 bits) or be otherwise protected such as to make brute force guessing computationally infeasible
That requirement is not easily testable by a conformance suite. We could use wording more like FAPI uses, to quote the FAPI spec:
> shall provide opaque non-guessable access tokens with a minimum of 128 bits of entropy where the probability of an attacker guessing the generated token is less than or equal to 2^(-160) as per RFC6749 section 10.10;
It may be the actual limits here are more than necessary for CIBA core, however with phrasing like this the conformance suite can at least do a test on the amount of entropy, which I believe helps avoid insecure implementations.
More information about the Openid-specs-mobile-profile
mailing list