How do we justify when it is safe to use smaller values? Is typability
really a requirement (vs copy-and-paste or automation via APIs)?
In most cases where random tokens are used it is desirable to have
automation.
Looking at the survey (
https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/blob/main/DomainControlValidation-Survey.md
)
the vast majority of existing random token DV schemes use at least 128 bits
of randomness.
Erik
On Mon, Oct 20, 2025 at 12:19 PM Paul Hoffman <[email protected]>
wrote:
> On Oct 17, 2025, at 09:04, Tim Wicinski <[email protected]> wrote:
> > We asked for agenda time in Montreal, but barring that we'd like to hear
> what is still outstanding.
>
> Section 5.1.1.1 is still way too prescriptive, and makes it impossible for
> random tokens to be typed by a user. In Section 5.1.1., the use case for
> unique tokens says "adequate uniqueness so as to guarantee a causal
> relationship between its issuance and its appearance in a DNS record". Even
> 30 bits of randomness (1 in a billion) is sufficient for that in many
> cases. The reference to RFC 4086 is also irrelevant to many use cases
> described in Section 5.1.1.
>
> I propose that either Section 5.1.1.1 be removed or, if the WG thinks that
> this needs to be shown, it should be expanded to an example of using a
> 10-digit number.
>
> --Paul Hoffman
>
> _______________________________________________
> DNSOP mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
>
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
