[security] OpenID Security Best Practices Doc
Johannes Ernst
jernst+openid.net at netmesh.us
Mon Jun 8 23:28:42 UTC 2009
On Jun 8, 2009, at 15:50, Allen Tom wrote:
>> 6) Pull the replay warning into its own bullet, and mention the
>> use of a timestamp to bound the time nonces must be stored for.
> [atom] Also a good point. On a related note, many large globally
> distributed RPs may have a hard time implementing nonces as per the
> OpenID spec, as it's technically tricky to globally replicate data,
> especially if it needs to be replicated very quickly. In practice,
> RPs may only find it practical to verify that the timestamp is
> "current" as opposed to actually verifying that the nonce is can
> only be used once.
In this case, do these mythical "globally distributed RPs" have a
better approach for avoiding replay attacks or do they simply swallow
that risk because no better approach is known.
Just wondering ...
Johannes Ernst
NetMesh Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lid.gif
Type: image/gif
Size: 977 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090608/5964afbc/attachment-0004.gif>
-------------- next part --------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid.gif
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090608/5964afbc/attachment-0005.gif>
-------------- next part --------------
http://netmesh.info/jernst
More information about the security
mailing list