Oops... just realized that the blog post I linked to was about DNOA's OP protecting 1.x RPs from replay attacks... not about RPs protecting themselves from replay attacks when working with 1.0 OPs. I guess I don't have a blog post for that specific feature. But anyway yes, DNOA RPs do the whole request_nonce thing when working with 1.0 OPs. <div>
<br></div><div>And I guess even with 2.0 OPs since the primary scenario is shared associations where RPs are responsible for the response_nonce check they are protected. If Yahoo isn't checking nonces for replay attacks, the only possible place that exposes a vulnerability would be when the RP is in dumb mode. And even then, as Allen said, since everything is over HTTPS the risk seems minimal to me.</div>
<div><br></div><div>--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">2009/6/8 Andrew Arnott <span dir="ltr"><<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Yes, <a href="http://blog.nerdbank.net/2009/03/replay-protection-for-openid-1x-relying.html" target="_blank">DotNetOpenAuth RPs attach their own nonces to their return_to's when communicating with 1.0 OPs</a>. It would be a simple matter to expand the scenarios it activates this behavior for if necessary.<div>
<br></div><div><font color="#888888">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre</font><div><div></div><div class="h5">
<br>
<br><br><div class="gmail_quote">On Mon, Jun 8, 2009 at 4:47 PM, John Bradley <span dir="ltr"><<a href="mailto:jbradley@mac.com" target="_blank">jbradley@mac.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">The other approach that has been used to secure 1.1 RP's is to place a signed nonce in the nonce in the return_to URI. The RP verifies its own sig.<div><br></div><div>I believe this is an option in DotNetOpenAuth for openID as well.</div>
<div><br></div><div>This removes the need for the RP to synchronize data across servers. This assumes properly configured load balancers though.</div><div><br></div><div>That is one other approach.</div><div><br></div><div>
John B.<br><div><div>On 8-Jun-09, at 7:35 PM, Allen Tom wrote:</div><br><blockquote type="cite"> <div bgcolor="#ffffff" text="#000000"> Hi Johannes,<br> <br> My personal opinion is that if HTTPS is used for the entire protocol flow, including the RP's return_to URL, then the RP should be able to verify that the timetamp in the nonce is current, to within a few minutes, as opposed to having to verify that the entire nonce is truly unique.<br>
<br> Allen<br> <br> <br> <br> Johannes Ernst wrote: <blockquote type="cite"><br> On Jun 8, 2009, at 15:50, Allen Tom wrote: <br> <br> <blockquote type="cite"> <blockquote type="cite">6) Pull the replay warning into its own bullet, and mention the use of a timestamp to bound the time nonces must be stored for. <br>
</blockquote> [atom] Also a good point. On a related note, many large globally distributed RPs may have a hard time implementing nonces as per the OpenID spec, as it's technically tricky to globally replicate data, especially if it needs to be replicated very quickly. In practice, RPs may only find it practical to verify that the timestamp is "current" as opposed to actually verifying that the nonce is can only be used once. <br>
</blockquote> <br> In this case, do these mythical "globally distributed RPs" have a better approach for avoiding replay attacks or do they simply swallow that risk because no better approach is known. <br>
<br>
Just wondering ... <br> <br> <br> <br> <br> <br> Johannes Ernst <br> NetMesh Inc. <br> <br> <br> <hr size="4" width="90%"><br> <center><span><mime-attachment.gif></span></center><p> <br> <br> </p> <hr size="4" width="90%">
<br> <center><span><mime-attachment.gif></span></center><p> <a href="http://netmesh.info/jernst" target="_blank">http://netmesh.info/jernst</a> <br> <br> <br> <br> </p> </blockquote> <br> </div> _______________________________________________<br>
security mailing list<br><a href="mailto:security@openid.net" target="_blank">security@openid.net</a><br><a href="http://openid.net/mailman/listinfo/security" target="_blank">http://openid.net/mailman/listinfo/security</a><br>
</blockquote></div><br></div></div></blockquote></div><br></div></div></div>
</blockquote></div><br></div>