[PROPOSAL] request nonce and name

Josh Hoyt josh at janrain.com
Fri Oct 13 00:18:07 UTC 2006


On 10/12/06, Dick Hardt <dick at sxip.com> wrote:
> I am ok with this as long as the return_to parameter continues to be
> signed, otherwise it is open to reuse attacks.

Yes, I agree with this analysis (for stateless RPs). It is important
that the return_to URL remain signed.

> I think that Hans had issues with the IdP signing arbitrary data,
> which is possible since anything could be stuck in the return_to
> parameter

That was my thought, too. Hans?

> Another advantage of having the request_nonce being a separate value
> is the IdP can make sure it is not processing requests multiple
> times, but this is only useful when the request is signed -- perhaps
> this parameter is best left to the highly anticipated, upcoming RP
> Identity extension? ;-)

Agreed here, as well.

Josh



More information about the specs mailing list