RP generated nonce for stateful mode.

[NISHITANI Masaki]

Hi everyone.

OpenID 2.0 uses nonce generated by OP to identify the
transaction. This seems very reasonable for stateless mode
authentication, because OP is the entity which is
responsible for protecting the stateless mode transaction
from replay-attacks. In this case, it is not so difficult
for OP to control nonce not to be used twice.

On the other hand, for stateful mode, OP generated nonce is
also used and RP assures the nonce should be uses only once
this time.
In general, it costs more for someone other than the
generator to ensure using nonce once, than the genetator
itself does it. Also in this case, RP should remenber every
nonces during certain time referring timestamp on each nonce.

Using RP generated nonce could simplify this. For example,
RP only caliculate a hash value for the end-users session-id
and send this to OP in auth_req. Then OP signs to the
RP-genetated-nonce and send it back in auth_res, now RP can
verify the sign with the session-id very easily. RP and OP
do not need to remember nonces.

Of cource this is not a nonce in strict meaning, and can be
used more than once. But that parameter is valid only in the
end-user's session. So if someone want to use the value for
replay-attack, it should hijacks the session beforehand.

So I wonder if this kind of idea has been discussed before
or not, and if it has.