Problem with nonces and HTTP GET

John Bradley john.bradley at wingaa.com
Thu Jan 28 12:44:23 UTC 2010


I am not arguing against artifact.

However allowing for nonce replay from a browser session is a separate issue.

If the nonce is only in the artifact resolution response the problem still exists, and is perhaps worse because of the latency involved in the second request.

If the user hits back and resubmits the indirect response and the RP performs artifact resolution on the same artifact a second time it    should detect a replay and reject it.  

John B.
On 2010-01-28, at 8:02 AM, Nat Sakimura wrote:

> (2010/01/28 16:21), Allen Tom wrote:
>> 
>> Hi all -
>> 
>> Before I get started – I agree that in an ideal world, we’d have full end to end SSL, old browsers would be banned, and we’d POST data.
>> 
>> However, requiring RPs to support SSL isn’t going to help adoption and is deal breaker for most applications that want to use OpenID today. Encouraging RPs to use SSL is a great idea – but it should not be required. 
>> 
>> Although most browsers can support URLs > 2KB, some proxy servers choke on URLs > 2KB. This is not fun to debug.
> I add one more thing here: Many mobile browsers choke. 
>> 
>> In practice, enforcing the nonce only gives the illusion of additional security. If there’s a MITM, instead of replaying (or pre-playing) the assertion, the attacker will just steal the browser cookies instead. Assertions should have a limited lifetime – but this can be enforced by checking the timestamp and allowing for a narrow replay window.
>> 
>> POST is technically the ideal solution, but results in a degraded UX. The proprietary market leaders have set the bar very high and we need to offer an open alternative that is just as good, if not better. We really aren’t going to get anywhere with a clunky UX.  POST adds additional latency, and can cause strange warnings and a blank interstitial (the self submitting form). 
>> 
>> I really would like to be able to return an assertion using AX with a lot of attributes, and Hybrid that can fit within the 2KB limit. This is needed just to reach parity with the proprietary stuff.
> Artifact Binding :-) Our implementation is returning (for the experiment purpose) assertion that is well over 5MB with AX. 
> 
> =nat
>> 
>> Allen
>>  
>> _______________________________________________
>> specs mailing list
>> specs at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs
>>   
> 
> 
> -- 
> Nat Sakimura (n-sakimura at nri.co.jp)
> Nomura Research Institute, Ltd. 
> Tel:+81-3-6274-1412 Fax:+81-3-6274-1547
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100128/dae17340/attachment.htm>


More information about the specs mailing list