Problem with nonces and HTTP GET
Nat Sakimura
n-sakimura at nri.co.jp
Thu Jan 28 11:02:03 UTC 2010
(2010/01/28 16:21), Allen Tom wrote:
> Hi all -
>
> Before I get started -- I agree that in an ideal world, we'd have full
> end to end SSL, old browsers would be banned, and we'd POST data.
>
> However, requiring RPs to support SSL isn't going to help adoption and
> is deal breaker for most applications that want to use OpenID today.
> Encouraging RPs to use SSL is a great idea -- but it should not be
> required.
>
> Although most browsers can support URLs > 2KB, some proxy servers
> choke on URLs > 2KB. This is not fun to debug.
I add one more thing here: Many mobile browsers choke.
>
> In practice, enforcing the nonce only gives the illusion of additional
> security. If there's a MITM, instead of replaying (or pre-playing) the
> assertion, the attacker will just steal the browser cookies instead.
> Assertions should have a limited lifetime -- but this can be enforced
> by checking the timestamp and allowing for a narrow replay window.
>
> POST is technically the ideal solution, but results in a degraded UX.
> The proprietary market leaders have set the bar very high and we need
> to offer an open alternative that is just as good, if not better. We
> really aren't going to get anywhere with a clunky UX. POST adds
> additional latency, and can cause strange warnings and a blank
> interstitial (the self submitting form).
>
> I really would like to be able to return an assertion using AX with a
> lot of attributes, and Hybrid that can fit within the 2KB limit. This
> is needed just to reach parity with the proprietary stuff.
Artifact Binding :-) Our implementation is returning (for the experiment
purpose) assertion that is well over 5MB with AX.
=nat
>
> Allen
>
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
--
Nat Sakimura (n-sakimura at nri.co.jp)
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100128/f750d5cb/attachment.htm>
More information about the specs
mailing list