[OpenID] Nonces generated by the server?
Allen Tom
atom at yahoo-inc.com
Wed Apr 1 01:21:38 UTC 2009
OPs that are globally distributed would have issues with validating the
uniqueness of the nonce, as it implies that the nonce needs to be
replicated everywhere. OPs which use IP-based load balancing could have
a lot of issues.
For instance, in the worst case where the user's browser and the RP are
on opposite sides of the world, the nonce would be issued by the OP in a
datacenter closest to the user's browser, and then immediately submitted
for verfication by the RP in a datacenter on the opposite side of the
world. In theory, the OP serving the verification request could forcibly
try to sync the data if its not already present in its local cache, but
there are often networking issues between distant datacenters, and OPs
may want to have their systems be resistant to networking issues between
distant geographic locations, at the expense of having slightly stale data.
I would recommend that RPs that want to protect against replay attacks
use HTTPS for all OpenID requests.
Allen
Breno de Medeiros wrote:
>
> I believe that the spec should make it clear that the OP is
> responsible for validating the uniqueness of the nonce in stateless mode.
>
More information about the general
mailing list