[OpenID] Checking signature on an unsolicited positive assertion

[Luke Shepard]

I have a question about the spec that hopefully someone on the list can help with.

I'd like to accept an unsolicited positive OpenID assertion from a provider. So, instead of the RP issuing a request to the provider and then getting a response, the provider would just form the correct URL and send the user to it. The RP can then verify the signature and continue as though it had made the original request.

For performance reasons, it would be nice to use a shared secret, if one exists. That way the RP wouldn't have to make an extra HTTP request to the OP every time. However, section 11.4.2.1 of the spec says that doing so is forbidden as it opens up replay attacks.

http://openid.net/specs/openid-authentication-2_0.html#check_auth

Can someone clarify why this is disallowed? It seems to me that as long as the provider supplies a nonce, and the RP checks the nonce, then there is no replay attack possible.

Thanks,
Luke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090701/9ff4d583/attachment.htm>