Problem with nonces and HTTP GET
Andrew Arnott
andrewarnott at gmail.com
Wed Jan 27 23:57:12 UTC 2010
On Wed, Jan 27, 2010 at 3:28 PM, John Bradley <john.bradley at wingaa.com>wrote:
> Changing openID to support artifact binding is a good long term solution.
> Though it is not without issues.
>
> If RP's used SSL endpoints POST would not be an issue. (Yes artifact is
> better for mobile)
>
> In the short term we can shorten AX URI, and get RP to use SSL.
>
> The other alternative is to ban IE because it is the source of the 2K limit
> for GET.
> Not a problem for FF or other browsers.
>
John,
Remember the argument I'm making is not "how do we get GET to work better"
but "how do we stop using GET and switch to POST", since that will alleviate
the nonce reuse problem. Coming up with craftier ways of using GET is
moving in the wrong direction IMO. I'd like to see OpenID move to an
all-POST protocol, and solve the HTTP-HTTPS boundary problem.
Even with artifact binding moving the nonce outside the browser redirect
URL, if only one GET is allowed because the artifact is a usable-once-only
token, then it's not a GET--it's a POST by HTTP definition.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100127/79ade451/attachment.htm>
More information about the specs
mailing list