The OP MUST be able to send a nonce to support unsolicited assertions, where the RP never sends any request at all. And then there's dumb mode, where the OP consumes its own nonce.<div><br></div><div>In OAuth when the consumer is sending a nonce, the service provider consumes it. So both with OpenID and OAuth, the party that produces the nonce and the party that consumes it are two different parties.</div>
<div><br></div><div>DotNetOpenId/DotNetOpenAuth is one such library that absolutely checks the nonce to prevent replays. When in the RP role, it also tacks a request_nonce to the return_to when communicating with 1.1 OPs since they are not expected to send a response_nonce as part of the assertion. <br clear="all">
--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">2009/3/31 Martin Atkins <span dir="ltr"><<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
I was idly reading the OpenID spec today and was reminded that the OpenID spec has the server generate a response nonce, rather than it being generated by the consumer.<br>
<br>
This seems strange to me, because in order to prevent replay it requires the consumer to remember all nonces that it has seen recently. If the consumer generated the nonce, then it would only need to retain state of nonces that it has issued, which is conceptually simpler.<br>
<br>
I note that over in OAuth land they have the consumer generate the nonce rather than the server.<br>
<br>
Is there a specific security reason why the server generates the nonce in OpenID, or was this just an arbitrary decision?<br>
<br>
I'm also somewhat curious about how many OpenID consumers actually do nonce checking. Net::OpenID::Consumer for Perl actually ignores the nonce altogether and implements its own timestamp checking due to legacy code for OpenID 1.1, and seems to be vulnerable to replay for up to 30 seconds after a positive assertion. Are *any* RPs actually checking nonces to prevent replay during the timestamp window?<br>
<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</blockquote></div><br></div>