[security] OpenID Security Best Practices Doc
Allen Tom
atom at yahoo-inc.com
Mon Jun 8 23:35:54 UTC 2009
Hi Johannes,
My personal opinion is that if HTTPS is used for the entire protocol
flow, including the RP's return_to URL, then the RP should be able to
verify that the timetamp in the nonce is current, to within a few
minutes, as opposed to having to verify that the entire nonce is truly
unique.
Allen
Johannes Ernst wrote:
>
> On Jun 8, 2009, at 15:50, Allen Tom wrote:
>
>>> 6) Pull the replay warning into its own bullet, and mention the use
>>> of a timestamp to bound the time nonces must be stored for.
>> [atom] Also a good point. On a related note, many large globally
>> distributed RPs may have a hard time implementing nonces as per the
>> OpenID spec, as it's technically tricky to globally replicate data,
>> especially if it needs to be replicated very quickly. In practice,
>> RPs may only find it practical to verify that the timestamp is
>> "current" as opposed to actually verifying that the nonce is can only
>> be used once.
>
> In this case, do these mythical "globally distributed RPs" have a
> better approach for avoiding replay attacks or do they simply swallow
> that risk because no better approach is known.
>
> Just wondering ...
>
>
>
>
>
> Johannes Ernst
> NetMesh Inc.
>
>
> ------------------------------------------------------------------------
>
>
>
> ------------------------------------------------------------------------
>
> http://netmesh.info/jernst
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090608/4df68f04/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 977 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090608/4df68f04/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 903 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-security/attachments/20090608/4df68f04/attachment-0005.gif>
More information about the security
mailing list