What is delegation for? (was Re: Wrapping Up Proposals)

Johannes Ernst jernst+openid.net at netmesh.us
Tue Oct 3 06:23:36 UTC 2006


On Oct 2, 2006, at 22:07, Josh Hoyt wrote:

> On 10/2/06, Johannes Ernst <jernst+openid.net at netmesh.us> wrote:
>> It appears to me that OpenID should be able to do the same thing that
>> we've been doing in LID: "one-way" nonces.
>
> This is the way that it's currently written up in the spec. When I
> wrote it up I had LID nonces in mind.
>
> The current proposal is to have *two* nonces - one for the request and
> one for the response. I bet there are good arguments for being able to
> identify both the request and the response individually, but I can't
> come up with any. Why do we need a response nonce if there is a
> request nonce?

Because the response may not have been triggered by a request.

This is how we implement non-browser support in LID right now -- and  
I suggest that OpenID Auth could do the same:
a client decides it wants to access http://example.com/foo that is  
access-protected. It simply creates
an OpenID "response" request "as-if" it had been initiated by a request.

Also: please ignore this if you have more important things to do --  
but why do we need a request nonce at all? What attack does this  
protect against?




Johannes Ernst
NetMesh Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 973 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20061002/e67d4554/attachment-0002.gif>
-------------- next part --------------
  http://netmesh.info/jernst






More information about the specs mailing list