Problem with nonces and HTTP GET
Breno de Medeiros
breno at google.com
Thu Jan 28 00:12:54 UTC 2010
Hi Andrew,
You raised two issues:
1. Nonce verification and its implications.
2. Using POST vs. GET as a philosophical issue of authentication protocols.
I think because of several reasons having to do with latency, user
experience, HTTP/HTTPS boundary warnings, robustness, there will be a
lot of reluctance to move from GET to POST, so while you make a valid
philosophical argument, GET will remain the prevailing mechanism for
entire practical reasons.
So, I propose you reboot this discussion by starting another thread on
the nonce verification problem (assuming GET is the used protocol).
> Even with artifact binding moving the nonce outside the browser redirect
> URL, if only one GET is allowed because the artifact is a usable-once-only
> token, then it's not a GET--it's a POST by HTTP definition.
--
More information about the specs
mailing list