nonce verification
Johnny Bufu
johnny at sxip.com
Thu Sep 14 23:43:47 UTC 2006
"9.2.1. Verifying Discovered Information
[...]
To prevent replay attacks, the Relying Party SHOULD keep track of the
nonce values included in positive assertions and never accept the
same value more than once for the same association."
How should the nonce verification be done when in stateless mode (and
there's no association)?
Should that read instead "for the same IdP endpoint"?
If not, are the nonce strings to be considered globally unique? That
could create conflicts.
Johnny
More information about the specs
mailing list