<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: [PROPOSAL] request nonce and name</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2873" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=932080522-02102006><FONT face=Arial
color=#0000ff size=2>+1. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=932080522-02102006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=932080522-02102006><FONT face=Arial
color=#0000ff size=2>A nonce may make a good ID, but all ID's do not make good
nonces. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=932080522-02102006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=932080522-02102006><FONT face=Arial
color=#0000ff size=2>Clarity is good so naming ideas that are extend clarity are
good. </FONT></SPAN></DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> specs-bounces@openid.net
[mailto:specs-bounces@openid.net] <B>On Behalf Of </B>Recordon,
David<BR><B>Sent:</B> Sunday, October 01, 2006 12:28 AM<BR><B>To:</B> Dick
Hardt; specs@openid.net<BR><B>Subject:</B> RE: [PROPOSAL] request nonce and
name<BR></FONT><BR></DIV>
<DIV></DIV><!-- Converted from text/plain format -->
<P><FONT size=2>I don't inherently see a problem with this, though it can't be
required since relying parties may not be able to keep state.<BR><BR>I'd vote
for openid.request_nonce and openid.response_nonce just in making it clear
what they actually are. I'm fine linking people off to WikiPedia (<A
href="http://en.wikipedia.org/wiki/Cryptographic_nonce">http://en.wikipedia.org/wiki/Cryptographic_nonce</A>),
but that's just me.<BR><BR>In any case, even if a request nonce isn't added,
I’d like to see openid.nonce renamed to
openid.response_nonce.<BR><BR>--David<BR><BR><BR>-----Original
Message-----<BR>From: specs-bounces@openid.net on behalf of Dick
Hardt<BR>Sent: Sat 9/30/2006 4:57 PM<BR>To: specs@openid.net<BR>Subject:
[PROPOSAL] request nonce and name<BR><BR>Motivating Use
Case<BR>----------------------------<BR>It is useful for an RP to know that a
response to a request has <BR>already been processed and is not
stale.<BR>A standard way to do this that can be incorporated into the
Libraries <BR>would simplify things for the RP
implementor<BR><BR><BR>Proposed
Implementation<BR>-----------------------------------<BR>1) Allow the RP to
OPTIONALLY include a nonce in the request. The <BR>nonce would be of the
same format as the nonce in the response from <BR>the IdP. The IdP will
include the nonce from the RP in its response.<BR><BR>2) rename openid.nonce
to openid.response_id and name the request <BR>nonce
openid.request_id<BR><BR>Alternate: call them openid.response_stamp and
openid.request_stamp<BR><BR>naming comments:<BR>+ openid.nonce is not in use
at this time, so easy to rename<BR>+ id or stamp may make more sense to the
average developer (mainly <BR>crypto and security people know what a
nonce is, I have to explain to <BR>most
developers)<BR><BR><BR>_______________________________________________<BR>specs
mailing list<BR>specs@openid.net<BR><A
href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</A><BR><BR><BR></FONT></P></BLOCKQUOTE></BODY></HTML>