<br><br><div class="gmail_quote">On Tue, Mar 31, 2009 at 2:28 PM, Martin Atkins <span dir="ltr"><<a href="mailto:mart@degeneration.co.uk">mart@degeneration.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
I was idly reading the OpenID spec today and was reminded that the OpenID spec has the server generate a response nonce, rather than it being generated by the consumer.<br>
<br>
This seems strange to me, because in order to prevent replay it requires the consumer to remember all nonces that it has seen recently. If the consumer generated the nonce, then it would only need to retain state of nonces that it has issued, which is conceptually simpler.</blockquote>
<div><br>Yes, I wondered about that too. Note, however, that in OpenID dumb (stateless) mode the OP has the opposite obligation. So if you do down that route, it would be better that there was a nonce from RP and a nonce-response from OP so that both could employ more reliable approaches to nonce-checking.<br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<br>
I note that over in OAuth land they have the consumer generate the nonce rather than the server.<br>
<br>
Is there a specific security reason why the server generates the nonce in OpenID, or was this just an arbitrary decision?<br>
<br>
I'm also somewhat curious about how many OpenID consumers actually do nonce checking. Net::OpenID::Consumer for Perl actually ignores the nonce altogether and implements its own timestamp checking due to legacy code for OpenID 1.1, and seems to be vulnerable to replay for up to 30 seconds after a positive assertion. Are *any* RPs actually checking nonces to prevent replay during the timestamp window?<br>
<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>--Breno<br><br>+1 (650) 214-1007 desk<br>+1 (408) 212-0135 (Grand Central)<br>MTV-41-3 : 383-A <br>PST (GMT-8) / PDT(GMT-7)<br>