You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems like the actual token contents should have more flexibility.
I don't think we want a "MUST" on that particular construct. It may be worth
a MUST that there is at least 128 bits of secure entropy, and that the token is
either base64 or hex encoded. But there may be a need to use other
constructs in the future (eg, not SHA256). Giving the current example
as a MAY seems reasonable.
There may be reasons for other constructs that embed state within the token.
For example: "HMAC-SHA256(private_key, label+account+domain)" may be appropriate
in some cases, although has enough security considerations that I'm not
sure we want to include that.
The text was updated successfully, but these errors were encountered:
(from Erik)
It seems like the actual token contents should have more flexibility.
I don't think we want a "MUST" on that particular construct. It may be worth
a MUST that there is at least 128 bits of secure entropy, and that the token is
either base64 or hex encoded. But there may be a need to use other
constructs in the future (eg, not SHA256). Giving the current example
as a MAY seems reasonable.
There may be reasons for other constructs that embed state within the token.
For example: "HMAC-SHA256(private_key, label+account+domain)" may be appropriate
in some cases, although has enough security considerations that I'm not
sure we want to include that.
The text was updated successfully, but these errors were encountered: