<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
The security doc will mention that nonces must be scoped to the OP
endpoint. I was waiting for the OpenID 2.1 WG to officially start up,
but it looks like the community would benefit from a living security
best practices document, so we'll probably start one on the public wiki
as soon as the OIDF fires up its new security committee.<br>
<br>
Thanks<br>
Allen<br>
<br>
<br>
Andrew Arnott wrote:
<blockquote cite="mid:378F221E-9CFD-4E6F-92DA-72EF235D3E91@gmail.com"
type="cite">
<div>Allen I'm copying you because you're on the 2.1 spec WG. I'd
also like to see the spec or living security document point out that
the RP must scope the nonces to the OP endpoint when checking for
replays so that two OPs with nonces that happen to match don't collide
as a replay. <br>
<br>
Sent from my iPhone</div>
<div><br>
On Mar 31, 2009, at 5:33 PM, Breno de Medeiros <<a
moz-do-not-send="true" href="mailto:breno@google.com">breno@google.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>I would also add that while the responsibility should rely on
the OP to check nonces in stateless mode, that if the OP does not have
an HTTPS URL for check_authentication, a compromise of the DNS service
at the RP allows replay of _any_ earlier cached responses. So RPs
should at least try to see if the timestamp is not too skewed.<br>
<br>
<br>
<br>
<div class="gmail_quote">On Tue, Mar 31, 2009 at 5:25 PM, Andrew
Arnott <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Yes,
Breno. I'd also like to see the spec give a maximum allowable length
for the nonce to RPs know better what they can expect and how much
storage to allow for nonces.
<div class="im"><br clear="all">
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - Voltaire<br>
<br>
<br>
</div>
<div class="gmail_quote">2009/3/31 Breno de Medeiros <span
dir="ltr"><<a moz-do-not-send="true" href="mailto:breno@google.com">breno@google.com</a>></span>
<div>
<div class="h5"><br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<br>
<div class="gmail_quote">
<div>On Tue, Mar 31, 2009 at 3:46 PM, Martin Atkins <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div>Andrew Arnott wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I'm also somewhat curious about how many OpenID consumers actually<br>
do nonce checking. Net::OpenID::Consumer for Perl actually ignores<br>
the nonce altogether and implements its own timestamp checking due<br>
to legacy code for OpenID 1.1, and seems to be vulnerable to replay<br>
for up to 30 seconds after a positive assertion.<br>
<br>
<br>
The author of the Perl library ought to be ashamed. This kind of thing
reduces my confidence in using OpenID at any site other than one that I
wrote the library for myself.<br>
<br>
Although this is what OSIS testing is all about. Hopefully there is a
test to catch RPs and OPs that don't check the nonce for replays.<br>
</blockquote>
<br>
</div>
</div>
Yes. As the maintainer of that library (though not its original
author), I am ashamed, which is what prompted the question in the first
place.</blockquote>
</div>
<div><br>
I believe that the spec should make it clear that the OP is responsible
for validating the uniqueness of the nonce in stateless mode. <br>
</div>
<div>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<br>
I'd love to have a test in the test suite for this.<br>
<br>
RPs only need to do this checking when they're running in stateful
mode, right? Since stateless RPs have nowhere to store state they can't
retain a history of nonces.<br>
<br>
Can you share some high-level details about your nonce-checking
implementation? Specifically how you persist the previous nonces, when
you expire them, etc?<br>
<br>
I'm wondering if it would instead be simpler to use a client-generated
nonce in the return_to URL, as you note that DotNetOpenID is doing for
1.1 requests, thus allowing the nonce checking to be a whitelist rather
than a blacklist and the nonces to be in a known format that I can
optimize for.
<div>
<div><br>
<br>
_______________________________________________<br>
general mailing list<br>
<a moz-do-not-send="true" href="mailto:general@openid.net">general@openid.net</a><br>
<a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><br>
</div>
</div>
</blockquote>
</div>
</div>
<br>
<br clear="all">
<div>
<div><br>
-- <br>
--Breno<br>
<br>
+1 (650) 214-1007 desk<br>
+1 (408) 212-0135 (Grand Central)<br>
MTV-41-3 : 383-A <br>
PST (GMT-8) / PDT(GMT-7)<br>
</div>
</div>
<br>
_______________________________________________<br>
general mailing list<br>
<a moz-do-not-send="true" href="mailto:general@openid.net">general@openid.net</a><br>
<a moz-do-not-send="true"
href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a><br>
<br>
</blockquote>
</div>
</div>
</div>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
--Breno<br>
<br>
+1 (650) 214-1007 desk<br>
+1 (408) 212-0135 (Grand Central)<br>
MTV-41-3 : 383-A <br>
PST (GMT-8) / PDT(GMT-7)<br>
</div>
</blockquote>
</blockquote>
<br>
</body>
</html>