<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">The addition was not about native or desktop apps. It is just to recognize that a web server establishes some sort of session with the browser typically with a cookie and can store additional attributes like the nonce in the server tied to the session rather than as separate cookies etc in the browser. It is not a change in what you are protecting agains, just a recognition that many web servers store state for the session on the server.<div><br></div><div>John B.<br><div><div>On Nov 14, 2013, at 10:21 AM, George Fletcher <<a href="mailto:gffletch@aol.com">gffletch@aol.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">Hi Justin,<br>
<br>
From a general solution perspective, how is this different from
from the last sentence that Mike wrote <br>
</font>
<blockquote><font face="Helvetica, Arial, sans-serif">"</font>A
related method applicable to JavaScript Clients is to store the
random value in HTML5 local storage and use a cryptographic hash
of this value."<br>
</blockquote>
Basically, native applications (or desktop apps) can all store
something local like the JavaScript client Mike mentions. Would it
help to just make this last sentence a little more generic?<br>
<blockquote>A related method for JavaScript Client, native
applications or rich desktop applications is to store the random
value in local storage and use a cryptographic hash of this value
as the nonce the request.<br>
</blockquote>
Thanks,<br>
George<br>
<br>
<div class="moz-cite-prefix">On 11/13/13 7:26 PM, Richer, Justin P.
wrote:<br>
</div>
<blockquote cite="mid:27CCD2FF-7EED-4382-A2D0-29CABE9C76BB@mitre.org" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
I like the text that's there, but let's add this to cover the
other (in my view, more common) case:
<div><br>
</div>
<div>"Another option, often useful for clients that are web
servers or native applications, is to store the value of the
nonce in a protected store local to the client, away from the
user agent. This value can be retrieved from the store when the
end user returns to the client via the redirect_uri and used
when validating the id_token."
<div><br>
</div>
<div> -- Justin</div>
<div><br>
<div>
<div>On Nov 13, 2013, at 10:16 PM, Mike Jones <<a moz-do-not-send="true" href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div link="blue" vlink="purple" style="font-family: Helvetica; font-size: inherit; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;" lang="EN-US">
<div class="WordSection1" style="page: WordSection1; ">
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(31, 73, 125); ">If you want
to propose specific text changes, we can look at
them. Otherwise, I think we’re good.<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(31, 73, 125); "> </span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(31, 73, 125); ">
-- Mike<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif; ">
<span style="font-size: 11pt; font-family: Calibri,
sans-serif; color: rgb(31, 73, 125); "> </span></div>
<div>
<div style="border-style: solid none none;
border-top-width: 1pt; border-top-color: rgb(181,
196, 223); padding: 3pt 0in 0in; ">
<div style="margin: 0in 0in 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif; ">
<b><span style="font-size: 10pt; font-family:
Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma,
sans-serif; "><span class="Apple-converted-space"> </span>John
Bradley [<a class="moz-txt-link-freetext" href="mailto:ve7jtb@">mailto:ve7jtb@</a><a moz-do-not-send="true" href="http://ve7jtb.com/">ve7jtb.com</a>]<span class="Apple-converted-space"> </span><br>
<b>Sent:</b><span class="Apple-converted-space"> </span>Wednesday,
November 13, 2013 12:40 PM<br>
<b>To:</b><span class="Apple-converted-space"> </span>Brian
Campbell<br>
<b>Cc:</b><span class="Apple-converted-space"> </span>George
Fletcher; Mike Jones;
<a moz-do-not-send="true" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b><span class="Apple-converted-space"> </span>Re:
[Openid-specs-ab] Nonce value suggestion for
the Implicit Flow<o:p></o:p></span></div>
</div>
</div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 12pt;
font-family: 'Times New Roman', serif; ">
That looks good.<o:p></o:p></div>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
</div>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif; ">
One question is if we want to also say the nonce
value may be stored as part of the session state
on the client (webserver). <o:p></o:p></div>
</div>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
</div>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif; ">
Adding too many options may just confuse people
though.<o:p></o:p></div>
</div>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
</div>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif; ">
John B.<o:p></o:p></div>
</div>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
</div>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
<div>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif; ">
On Nov 13, 2013, at 11:38 AM, Brian Campbell
<<a moz-do-not-send="true" href="mailto:bcampbell@pingidentity.com" style="color: purple; text-decoration:
underline; ">bcampbell@pingidentity.com</a>>
wrote:<o:p></o:p></div>
</div>
<div style="margin: 0in 0in 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif; ">
<br>
<br>
<o:p></o:p></div>
<div>
<div style="margin: 0in 0in 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif; ">
"a random value as an HttpOnly a session
cookie" -> remove the "a" after HttpOnly?<o:p></o:p></div>
</div>
<div><p class="MsoNormal" style="margin: 0in 0in
12pt; font-size: 12pt; font-family: 'Times New
Roman', serif; ">
<o:p> </o:p></p>
<div>
<div style="margin: 0in 0in 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; ">
On Wed, Nov 13, 2013 at 11:35 AM, George
Fletcher <<a moz-do-not-send="true" href="mailto:gffletch@aol.com" target="_blank" style="color: purple;
text-decoration: underline; ">gffletch@aol.com</a>>
wrote:<o:p></o:p></div>
<div><p class="MsoNormal" style="margin: 0in 0in
12pt; font-size: 12pt; font-family: 'Times
New Roman', serif; ">
<span style="font-family: Helvetica,
sans-serif; ">I'll let John quibble over
the specifics :) ... but it looks good
to me. Thanks, George</span><o:p></o:p></p>
<div>
<div>
<div style="margin: 0in 0in 0.0001pt;
font-size: 12pt; font-family: 'Times
New Roman', serif; ">
On 11/13/13 1:30 PM, Mike Jones wrote:<o:p></o:p></div>
</div>
<blockquote style="margin-top: 5pt;
margin-bottom: 5pt; ">
<div>
<div style="margin: 0in 0in 0.0001pt;
font-size: 12pt; font-family: 'Times
New Roman', serif; ">
<span style="font-size: 11pt;
font-family: Calibri, sans-serif;
color: rgb(31, 73, 125); ">Please
review the new text at<span class="Apple-converted-space"> </span><a moz-do-not-send="true" href="http://openid.bitbucket.org/openid-connect-core-1_0.html#NonceNotes" target="_blank" style="color:
purple; text-decoration:
underline; ">http://openid.bitbucket.org/openid-connect-core-1_0.html#NonceNotes</a>,
which is where the implementation
suggestions for the nonce
parameter have been moved.</span><o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt;
font-size: 12pt; font-family: 'Times
New Roman', serif; ">
<span style="font-size: 11pt;
font-family: Calibri, sans-serif;
color: rgb(31, 73, 125); "> </span><o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt;
font-size: 12pt; font-family: 'Times
New Roman', serif; ">
<span style="font-size: 11pt;
font-family: Calibri, sans-serif;
color: rgb(31, 73, 125); ">
-- Mike</span><o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt;
font-size: 12pt; font-family: 'Times
New Roman', serif; ">
<span style="font-size: 11pt;
font-family: Calibri, sans-serif;
color: rgb(31, 73, 125); "> </span><o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt;
font-size: 12pt; font-family: 'Times
New Roman', serif; ">
<b><span style="font-size: 10pt;
font-family: Tahoma, sans-serif;
">From:</span></b><span style="font-size: 10pt;
font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span><a moz-do-not-send="true" href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank" style="color:
purple; text-decoration:
underline; ">openid-specs-ab-bounces@lists.openid.net</a><span class="Apple-converted-space"> </span>[<a moz-do-not-send="true" href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank" style="color:
purple; text-decoration:
underline; ">mailto:openid-specs-ab-bounces@lists.openid.net</a>]<span class="Apple-converted-space"> </span><b>On
Behalf Of<span class="Apple-converted-space"> </span></b>Brian
Campbell<br>
<b>Sent:</b><span class="Apple-converted-space"> </span>Wednesday,
October 30, 2013 9:00 AM<br>
<b>To:</b><span class="Apple-converted-space"> </span>John
Bradley<br>
<b>Cc:</b><span class="Apple-converted-space"> </span><a moz-do-not-send="true" href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color:
purple; text-decoration:
underline; ">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b><span class="Apple-converted-space"> </span>Re:
[Openid-specs-ab] Nonce value
suggestion for the Implicit Flow</span><o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt;
font-size: 12pt; font-family: 'Times
New Roman', serif; ">
<o:p></o:p></div>
<div>
<div style="margin: 0in 0in
0.0001pt; font-size: 12pt;
font-family: 'Times New Roman',
serif; ">
The nonce is a different approach
to protecting against things like
replay prevention but doesn't have
the same scaling implications as
tracking token ids. Which is nice.<o:p></o:p></div>
</div>
<div><p class="MsoNormal" style="margin:
0in 0in 12pt; font-size: 12pt;
font-family: 'Times New Roman',
serif; ">
<o:p></o:p></p>
<div>
<div style="margin: 0in 0in
0.0001pt; font-size: 12pt;
font-family: 'Times New Roman',
serif; ">
On Wed, Oct 30, 2013 at 4:13 AM,
John Bradley <<a moz-do-not-send="true" href="mailto:ve7jtb@ve7jtb.com" target="_blank" style="color:
purple; text-decoration:
underline; ">ve7jtb@ve7jtb.com</a>>
wrote:<o:p></o:p></div>
<div>
<div style="margin: 0in 0in
0.0001pt; font-size: 12pt;
font-family: 'Times New
Roman', serif; ">
The nonce is opaque to the AS,
it is sent by the client and
validated by the client. It
binds the signed id_token to
something in the user's
browser session. This is
critical to prevent attacks on
the implicit flow, where the
redirect_uri is not sent to
the token endpoint for
validation. It is not
required for the "code" flow.
In the hybrid flows it needs
to be used to validate the
id_token presented in the
front channel as well, as the
client may be using the
id_token before exchanging
code at the token endpoint,
and discovering an attack.<o:p></o:p></div>
<div>
<div style="margin: 0in 0in
0.0001pt; font-size: 12pt;
font-family: 'Times New
Roman', serif; ">
<o:p></o:p></div>
</div>
<div>
<div style="margin: 0in 0in
0.0001pt; font-size: 12pt;
font-family: 'Times New
Roman', serif; ">
I think it also prevents
some attacks against code
interception that checking
the redirect_uri wouldn't so
in a high loa deployment I
would check both nonce and
the redirect_uri.<o:p></o:p></div>
<div>
<div style="margin: 0in 0in
0.0001pt; font-size: 12pt;
font-family: 'Times New
Roman', serif; ">
<o:p></o:p></div>
</div>
<div>
<div style="margin: 0in 0in
0.0001pt; font-size: 12pt;
font-family: 'Times New
Roman', serif; ">
Are you asking about "jti"
in the assertion used to
authenticate the client to
the token endpoint?<o:p></o:p></div>
</div>
<div>
<div style="margin: 0in 0in
0.0001pt; font-size: 12pt;
font-family: 'Times New
Roman', serif; ">
<o:p></o:p></div>
<div>
<div>
<div style="margin: 0in
0in 0.0001pt;
font-size: 12pt;
font-family: 'Times
New Roman', serif; ">
On Oct 30, 2013, at
1:44 AM, Anthony
Nadalin <<a moz-do-not-send="true" href="mailto:tonynad@microsoft.com" target="_blank" style="color:
purple;
text-decoration:
underline; ">tonynad@microsoft.com</a>>
wrote:<o:p></o:p></div>
</div><p class="MsoNormal" style="margin: 0in 0in
12pt; font-size: 12pt;
font-family: 'Times New
Roman', serif; ">
<o:p> </o:p></p>
<div>
<div>
<div style="margin:
0in 0in 0.0001pt;
font-size: 12pt;
font-family: 'Times
New Roman', serif; ">
<span style="font-size:
11pt; font-family:
Calibri,
sans-serif; color:
rgb(31, 73, 125);
">I’m not seeing
how you are
dealing with
duplicate nonces
as this can be a
scaling issue when
dealing with
millions of
requests, the
nonces need better
advice</span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in 0.0001pt;
font-size: 12pt;
font-family: 'Times
New Roman', serif; ">
<a moz-do-not-send="true" name="14252bf9530978a2_14208dc46cdfd917__MailE"><span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); "> </span></a><o:p></o:p></div>
</div>
<div>
<div style="border-style:
solid none none;
border-top-width:
1pt;
border-top-color:
rgb(225, 225, 225);
padding: 3pt 0in
0in; ">
<div style="margin:
0in 0in 0.0001pt;
font-size: 12pt;
font-family:
'Times New Roman',
serif; ">
<b><span style="font-size:
11pt;
font-family:
Calibri,
sans-serif; ">From:</span></b><span style="font-size:
11pt;
font-family:
Calibri,
sans-serif; "> <a moz-do-not-send="true" href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline; ">openid-specs-ab-bounces@lists.openid.net</a><span class="Apple-converted-space"> </span>[<a moz-do-not-send="true" href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline; ">mailto:openid-specs-ab-bounces@lists.openid.net</a>] <b>On
Behalf Of </b>John
Bradley<br>
<b>Sent:</b> Tuesday,
October 29, 2013
7:33 PM<br>
<b>To:</b> Mike
Jones<br>
<b>Cc:</b> <a moz-do-not-send="true" href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color:
purple;
text-decoration:
underline; ">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re:
[Openid-specs-ab]
Nonce value
suggestion for
the Implicit
Flow</span><o:p></o:p></div>
</div>
</div>
<div>
<div style="margin:
0in 0in 0.0001pt;
font-size: 12pt;
font-family: 'Times
New Roman', serif; ">
<o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in 0.0001pt;
font-size: 12pt;
font-family: 'Times
New Roman', serif; ">
You want to store
the random value and
send the hash.
Saving the hash is
not secure unless it
is signed. <o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in 0.0001pt;
font-size: 12pt;
font-family: 'Times
New Roman', serif; ">
<o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in 0.0001pt;
font-size: 12pt;
font-family: 'Times
New Roman', serif; ">
The idea is to force
an attacker to
compute a plaintext
for the hash (hard
to impossible
depending on length)
in order to be able
to present the
response from the
AS.<o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in 0.0001pt;
font-size: 12pt;
font-family: 'Times
New Roman', serif; ">
<o:p></o:p></div>
</div>
<div>
<blockquote style="margin-top:
5pt; margin-bottom:
5pt; ">
<div style="margin:
0in 0in 0.0001pt;
font-size: 12pt;
font-family:
'Times New Roman',
serif; ">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); ">For
case 1: The
Client can
generate a
random value
with sufficient
entropy and
store that value
in local
storage. This
value is then
hashed to
produce a nonce
value. The
hashed value
could
optionally be
truncated to a
sufficient
number of bits
(such as 128)
before use. </span><o:p></o:p></div>
</blockquote>
<div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size: 12pt;
font-family:
'Times New
Roman', serif; ">
On Oct 29, 2013,
at 9:40 PM, Mike
Jones <<a moz-do-not-send="true" href="mailto:Michael.Jones@microsoft.com" target="_blank" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; ">Michael.Jones@microsoft.com</span></a>>
wrote:<o:p></o:p></div>
</div>
<div><p class="MsoNormal" style="margin:
0in 0in 12pt;
font-size: 12pt;
font-family:
'Times New
Roman', serif; ">
<o:p></o:p></p>
</div>
<blockquote style="margin-top:
5pt;
margin-bottom:
5pt; ">
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); ">Here’s
an attempt at
simplifying
George’s text.</span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); ">For
case 1: The
Client can
generate a
random value
with
sufficient
entropy and
store a
cryptographic
hash (such as
SHA-256) of
that value in
local
storage. The
hashed value
could
optionally be
truncated to a
sufficient
number of bits
(such as 128)
before use.
The stored
value is used
as the nonce
value.</span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); ">For
case 2: The
Client can
generate a
random value
with
sufficient
entropy and
store that
value as an
HttpOnly
session
cookie. A
cryptographic
hash (such as
SHA-256) of
the cookie
value (or a
truncation of
the hash value
to a
sufficient
number of
bits) is used
as the nonce
value.</span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); "> </span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); ">Am
I correct that
the
cryptographic
hash function
is used to
spread the
entropy
present in the
random value
generated
throughout the
nonce value in
both cases?</span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); "> </span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); ">Comments?</span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); "> </span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); ">
-- Mike</span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); "> </span><o:p></o:p></div>
</div>
<div>
<div style="border-style:
solid none
none;
border-top-width:
1pt;
border-top-color:
rgb(181, 196,
223); padding:
3pt 0in 0in; ">
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<b><span style="font-size:
10pt;
font-family:
Tahoma,
sans-serif; ">From:</span></b><span style="font-size:
10pt;
font-family:
Tahoma,
sans-serif; "> Richer,
Justin P. [<a moz-do-not-send="true" href="mailto:jricher@mitre.org" target="_blank" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; ">mailto:jricher@mitre.org</span></a>] <br>
<b>Sent:</b> Saturday,
October 26,
2013 11:33 AM<br>
<b>To:</b> George
Fletcher<br>
<b>Cc:</b> John
Bradley; Mike
Jones; <a moz-do-not-send="true" href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; ">openid-specs-ab@lists.openid.net</span></a><br>
<b>Subject:</b> Re:
[Openid-specs-ab]
Nonce value
suggestion for
the Implicit
Flow</span><o:p></o:p></div>
</div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<o:p></o:p></div>
</div>
<blockquote style="margin-top:
5pt;
margin-bottom:
5pt; ">
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-family:
Helvetica,
sans-serif; ">I
don't know
where the best
place is to
provide this
guidance. If
we have a
"validating
the ID Token"
sub-section in
the new ID
Token section,
then maybe it
would best fit
there.</span><o:p></o:p></div>
</blockquote>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
+1 to this
idea with a
cross link
from the nonce
definition.<o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
-- Justin<o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<o:p></o:p></div>
</div>
<div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
On Oct 25,
2013, at 6:17
AM, George
Fletcher <<a moz-do-not-send="true" href="mailto:gffletch@aol.com" target="_blank" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; ">gffletch@aol.com</span></a>>
wrote:<o:p></o:p></div>
</div>
<div><p class="MsoNormal" style="margin:
0in 0in 12pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<o:p> </o:p></p>
</div>
<div><p class="MsoNormal" style="margin:
0in 0in 12pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-family:
Helvetica,
sans-serif; ">If
we are going
to give
guidance, then
we really need
to give
guidance for
two different
use cases...<br>
<br>
1. The
"client" will
validate the
response
locally in the
browser<br>
2. The
"client" will
validate the
response at
it's server
(even though
it's using the
implicit flow)<br>
<br>
For use case
1: One method
to achieve
this is for
the client to
generate a
random string
with
sufficient
entropy and
store a SHA-1
hash of the
string in
local storage.
Then use the
SHA-1 hash of
the random
string as the
value of the
nonce
parameter. To
validate the
nonce on
receipt of the
ID Token,
extract the
nonce from the
ID Token and
compare it to
the stored
SHA-1 hash in
local storage.<br>
<br>
For use case
2: One method
to achieve
this is for
the backend
server to use
a SHA-1 hash
of the
"clients"
protected
session cookie
as the value
of the nonce
parameter when
constructing
the
AuthorizationRequest.
Note that the
Session cookie
SHOULD be
protected
(restricted to
SSL and not
readable by
JavaScript)
for this
method. To
validate the
ID Token at
the server,
the server
calculates a
SHA-1 hash of
the Session
cookie value
and compares
that to the
nonce value in
the ID Token.<br>
<br>
I don't know
where the best
place is to
provide this
guidance. If
we have a
"validating
the ID Token"
sub-section in
the new ID
Token section,
then maybe it
would best fit
there.<br>
<br>
Thanks,<br>
George</span><o:p></o:p></p>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
On 10/24/13
7:16 PM, John
Bradley wrote:<o:p></o:p></div>
</div>
<blockquote style="margin-top:
5pt;
margin-bottom:
5pt; ">
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
We want the
implicit flow
to validate
nonce, it
would be
better to have
some
reasonable
advice for
using HTML
local storage
rather than
session
cookies.<o:p></o:p></div>
</div>
<div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<o:p></o:p></div>
</div>
<div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
On 2013-10-24,
at 3:44 PM,
Mike Jones
<<a moz-do-not-send="true" href="mailto:Michael.Jones@microsoft.com" target="_blank" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; ">Michael.Jones@microsoft.com</span></a>>
wrote:<o:p></o:p></div>
</div>
<div><p class="MsoNormal" style="margin:
0in 0in 12pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<o:p> </o:p></p>
</div>
<div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); ">We
could drop it
from the
Implicit Flow,
as it’s
already
present in the
Code Flow.
Does that work
for people?</span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); "> </span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); ">
-- Mike</span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif;
color: rgb(31,
73, 125); "> </span><o:p></o:p></div>
</div>
<div>
<div style="border-style:
solid none
none;
border-top-width:
1pt;
border-top-color:
rgb(181, 196,
223); padding:
3pt 0in 0in; ">
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<b><span style="font-size:
10pt;
font-family:
Tahoma,
sans-serif; ">From:</span></b><span style="font-size:
10pt;
font-family:
Tahoma,
sans-serif; "> Richer,
Justin P. [<a moz-do-not-send="true" href="mailto:jricher@" target="_blank" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; ">mailto:jricher@</span></a><a moz-do-not-send="true" href="http://mitre.org/" target="_blank" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; ">mitre.org</span></a>] <br>
<b>Sent:</b> Thursday,
October 24,
2013 12:56 PM<br>
<b>To:</b> Mike
Jones<br>
<b>Cc:</b> <a moz-do-not-send="true" href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; ">openid-specs-ab@lists.openid.net</span></a><br>
<b>Subject:</b> Re:
[Openid-specs-ab]
Nonce value
suggestion for
the Implicit
Flow</span><o:p></o:p></div>
</div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
I'm actually
in favor of
dropping this
example, or
else providing
it in a list
of
alternatives.
The important
thing is that
the client can
validate the
exact value of
the nonce
parameter on
its way back
through, the
mechanics of
how that
happens are
client
specific (but
we can provide
simple
guidance).<o:p></o:p></div>
</div>
<div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
-- Justin<o:p></o:p></div>
</div>
<div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<o:p></o:p></div>
</div>
<div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
On Oct 24,
2013, at 11:44
AM, Mike Jones
<<a moz-do-not-send="true" href="mailto:Michael.Jones@microsoft.com" target="_blank" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; ">Michael.Jones@microsoft.com</span></a>><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
wrote:<o:p></o:p></div>
</div>
<div><p class="MsoNormal" style="margin:
0in 0in 12pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<br>
<br>
<o:p></o:p></p>
</div>
<div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif; ">For
the Implicit
Flow, the
“nonce”
description
contains this
text at<a moz-do-not-send="true" href="http://openid.bitbucket.org/openid-connect-core-1_0.html#ImplicitAuthorizationRequest" target="_blank" style="color: purple; text-decoration: underline; "><span style="color:
purple; ">http://openid.bitbucket.org/openid-connect-core-1_0.html#ImplicitAuthorizationRequest</span></a>:</span><o:p></o:p></div>
</div>
<div style="margin-left:
0.5in; ">
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Verdana,
sans-serif; " lang="EN">Sufficient
entropy MUST
be present in
the </span><tt style="font-family:
'Courier New';
"><span style="font-size:
10pt; color:
rgb(0, 51,
102); " lang="EN">nonce</span></tt><span style="font-size:
11pt;
font-family:
Verdana,
sans-serif; " lang="EN"> values
used to
prevent
attackers from
guessing
values. <span style="background-color:
yellow;
background-position:
initial
initial;
background-repeat:
initial
initial; ">One
method to
achieve this
is to store a
random value
as a signed
session
cookie, and
pass the value
in the</span></span><tt style="font-family:
'Courier New';
"><span style="font-size:
10pt; color:
rgb(0, 51,
102);
background-color:
yellow;
background-position:
initial
initial;
background-repeat:
initial
initial; " lang="EN">nonce</span></tt><span style="font-size:
11pt;
font-family:
Verdana,
sans-serif;
background-color:
yellow;
background-position:
initial
initial;
background-repeat:
initial
initial; " lang="EN"> parameter.
In that case,
the </span><tt style="font-family:
'Courier New';
"><span style="font-size:
10pt; color:
rgb(0, 51,
102);
background-color:
yellow;
background-position:
initial
initial;
background-repeat:
initial
initial; " lang="EN">nonce</span></tt><span style="font-size:
11pt;
font-family:
Verdana,
sans-serif;
background-color:
yellow;
background-position:
initial
initial;
background-repeat:
initial
initial; " lang="EN"> in
the returned
ID Token can
be compared to
the signed
session cookie
to detect ID
Token replay
by third
parties.</span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif; "> </span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif; ">George
wrote this
about the
suggestion in
his review:</span><o:p></o:p></div>
</div>
<div style="margin-left:
0.5in; ">
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif; ">“I'm
not sure this
suggestion
makes sense
for the
implicit flow.
The client
would need to
write a cookie
value on the
domain of the
redirect_uri
and the
attempt to
read it on the
return of the
implicit flow.
Wondering if a
local storage
example would
make more
sense.”</span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif; "> </span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif; ">Do
people agree
with him? If
so, does
someone want
to supply
specific
alternative
text to use?</span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif; "> </span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif; ">
-- Mike</span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
11pt;
font-family:
Calibri,
sans-serif; "> </span><o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
13.5pt;
font-family:
Helvetica,
sans-serif; ">_______________________________________________<br>
Openid-specs-ab
mailing list<br>
<a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; ">Openid-specs-ab@lists.openid.net</span></a><br>
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a></span><o:p></o:p></div>
</div>
</div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<o:p></o:p></div>
</div>
</div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<span style="font-size:
13.5pt;
font-family:
Helvetica,
sans-serif; ">_______________________________________________<br>
Openid-specs-ab
mailing list<br>
<a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; ">Openid-specs-ab@lists.openid.net</span></a><br>
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a></span><o:p></o:p></div>
</div>
</div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<o:p></o:p></div>
</div>
</div>
<div><p class="MsoNormal" style="margin:
0in 0in 12pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<br>
<br>
<o:p></o:p></p>
</div>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; ">_______________________________________________<o:p></o:p></pre>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; "> <o:p></o:p></pre>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; "> <o:p></o:p></pre>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; ">Openid-specs-ab mailing list<o:p></o:p></pre>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; "><a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline; "><span style="color: purple; ">Openid-specs-ab@lists.openid.net</span></a><o:p></o:p></pre>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; "><a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: purple; text-decoration: underline; "><span style="color: purple; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><o:p></o:p></pre>
</blockquote>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
<o:p></o:p></div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
-- <br>
<a moz-do-not-send="true" href="http://connect.me/gffletch" target="_blank" title="View full card
on Connect.Me" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; "><XeC.png></span></a><o:p></o:p></div>
</div>
</div>
<div>
<div style="margin:
0in 0in
0.0001pt;
font-size:
12pt;
font-family:
'Times New
Roman', serif;
">
_______________________________________________<br>
Openid-specs-ab
mailing list<br>
<a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; ">Openid-specs-ab@lists.openid.net</span></a><br>
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color:
purple;
text-decoration:
underline; "><span style="color:
purple; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><o:p></o:p></div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
<div style="margin: 0in 0in
0.0001pt; font-size: 12pt;
font-family: 'Times New
Roman', serif; ">
<o:p></o:p></div>
</div>
</div>
</div><p class="MsoNormal" style="margin: 0in 0in 12pt;
font-size: 12pt; font-family:
'Times New Roman', serif; ">
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color:
purple; text-decoration:
underline; ">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color:
purple; text-decoration:
underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</div>
<div style="margin: 0in 0in
0.0001pt; font-size: 12pt;
font-family: 'Times New Roman',
serif; ">
<o:p></o:p></div>
</div>
</div>
<div style="margin: 0in 0in 0.0001pt;
font-size: 12pt; font-family: 'Times
New Roman', serif; ">
<br>
<br>
<o:p></o:p></div>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; ">_______________________________________________<o:p></o:p></pre>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; ">Openid-specs-ab mailing list<o:p></o:p></pre>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; "><a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline; ">Openid-specs-ab@lists.openid.net</a><o:p></o:p></pre>
<pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; "><a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: purple; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></pre>
</blockquote>
<div style="margin: 0in 0in 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; ">
<o:p> </o:p></div>
</div>
<div>
<div style="margin: 0in 0in 0.0001pt;
font-size: 12pt; font-family: 'Times New
Roman', serif; ">
<span style="color: rgb(136, 136, 136);
">--<span class="Apple-converted-space"> </span><br>
<a moz-do-not-send="true" href="http://connect.me/gffletch" target="_blank" title="View full
card on Connect.Me" style="color:
purple; text-decoration: underline;
"><XeC.png></a><o:p></o:p></span></div>
</div>
</div>
</div>
<div style="margin: 0in 0in 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
</div>
</div>
<div style="margin: 0in 0in 0.0001pt; font-size:
12pt; font-family: 'Times New Roman', serif; ">
<o:p> </o:p></div>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></div>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<a href="http://connect.me/gffletch" title="View full card on
Connect.Me"><span><XeC.png></span></a></div>
</div>
_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-specs-ab<br></blockquote></div><br></div></body></html>