I would also add that while the responsibility should rely on the OP to check nonces in stateless mode, that if the OP does not have an HTTPS URL for check_authentication, a compromise of the DNS service at the RP allows replay of _any_ earlier cached responses. So RPs should at least try to see if the timestamp is not too skewed.<br>
<br><br><br><div class="gmail_quote">On Tue, Mar 31, 2009 at 5:25 PM, Andrew Arnott <span dir="ltr"><<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Yes, Breno. I'd also like to see the spec give a maximum allowable length for the nonce to RPs know better what they can expect and how much storage to allow for nonces.<div class="im"><br clear="all">--<br>Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br></div><div class="gmail_quote">2009/3/31 Breno de Medeiros <span dir="ltr"><<a href="mailto:breno@google.com" target="_blank">breno@google.com</a>></span><div><div></div><div class="h5"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br><br><div class="gmail_quote"><div>On Tue, Mar 31, 2009 at 3:46 PM, Martin Atkins <span dir="ltr"><<a href="mailto:mart@degeneration.co.uk" target="_blank">mart@degeneration.co.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div></div><div>Andrew Arnott wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I'm also somewhat curious about how many OpenID consumers actually<br>
do nonce checking. Net::OpenID::Consumer for Perl actually ignores<br>
the nonce altogether and implements its own timestamp checking due<br>
to legacy code for OpenID 1.1, and seems to be vulnerable to replay<br>
for up to 30 seconds after a positive assertion.<br>
<br>
<br>
The author of the Perl library ought to be ashamed. This kind of thing reduces my confidence in using OpenID at any site other than one that I wrote the library for myself.<br>
<br>
Although this is what OSIS testing is all about. Hopefully there is a test to catch RPs and OPs that don't check the nonce for replays.<br>
</blockquote>
<br></div></div>
Yes. As the maintainer of that library (though not its original author), I am ashamed, which is what prompted the question in the first place.</blockquote></div><div><br>I believe that the spec should make it clear that the OP is responsible for validating the uniqueness of the nonce in stateless mode. <br>
</div><div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<br>
I'd love to have a test in the test suite for this.<br>
<br>
RPs only need to do this checking when they're running in stateful mode, right? Since stateless RPs have nowhere to store state they can't retain a history of nonces.<br>
<br>
Can you share some high-level details about your nonce-checking implementation? Specifically how you persist the previous nonces, when you expire them, etc?<br>
<br>
I'm wondering if it would instead be simpler to use a client-generated nonce in the return_to URL, as you note that DotNetOpenID is doing for 1.1 requests, thus allowing the nonce checking to be a whitelist rather than a blacklist and the nonces to be in a known format that I can optimize for.<div>
<div></div><div><br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div></div><br><br clear="all"><div><div></div><div><br>-- <br>--Breno<br><br>+1 (650) 214-1007 desk<br>+1 (408) 212-0135 (Grand Central)<br>MTV-41-3 : 383-A <br>PST (GMT-8) / PDT(GMT-7)<br>
</div></div><br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div></div></div><br>
</blockquote></div><br><br clear="all"><br>-- <br>--Breno<br><br>+1 (650) 214-1007 desk<br>+1 (408) 212-0135 (Grand Central)<br>MTV-41-3 : 383-A <br>PST (GMT-8) / PDT(GMT-7)<br>