Problem with nonces and HTTP GET
John Bradley
john.bradley at wingaa.com
Thu Jan 28 01:18:40 UTC 2010
The requirement is to prevent replay of a token.
If it can be done without a nonce that is OK, but the requirement remains.
SSL on it's own will not solve the replay problem.
John B.
On 2010-01-27, at 9:45 PM, Breno de Medeiros wrote:
> On Wed, Jan 27, 2010 at 16:40, Andrew Arnott <andrewarnott at gmail.com> wrote:
>> Absolutely. In fact, if part of a solution to any problem is to get all
>> parties on SSL, then nonces can just go away -- am I right?
>
> Yes, if we could assume SSL support at the RP we could do away with
> nonces and use secure cookies. Nonces are a pain and just wrong for
> web protocols.
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
More information about the specs
mailing list