<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>Re: Problem with nonces and HTTP GET</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>+1 Allen, here’s what I get on HuffPo, not very compelling and
probably a trigger to “Cancel” to most users. We need to fix this ASAP!<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><img width=562 height=157 id="Picture_x0020_2"
src="cid:image001.png@01CA9B52.06B74CA0"></span><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#0033CC'>Cheers,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#0033CC'><br>
Brian<o:p></o:p></span></p>
<p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#0033CC'>___________</span></b><span style='font-size:11.0pt;font-family:
"Calibri","sans-serif";color:#0033CC'><o:p></o:p></span></p>
<p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#0033CC'><o:p> </o:p></span></b></p>
<p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#0033CC'><a href="http://www.linkedin.com/pub/0/10/254"><span
style='color:#0033CC'>Brian Kissel</span></a><o:p></o:p></span></b></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#0033CC'>CEO - JanRain, Inc.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#0033CC'>bkissel@janrain.com<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#0033CC'>Mobile: </span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#0033CC'>503.342.2668 </span><span style='font-size:11.0pt;font-family:
"Calibri","sans-serif";color:#0033CC'>| Fax: </span><span style='font-size:
11.0pt;font-family:"Calibri","sans-serif";color:#0033CC'>503.296.5502<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#0033CC'>519 SW 3rd Ave. Suite 600 Portland, OR 97204<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#0033CC'><o:p> </o:p></span></p>
<p class=MsoNormal><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#0033CC'>Increase registrations, engage users, and grow your brand with
RPX. Learn more at </span></i></b><b><i><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:red'><a href="http://www.rpxnow.com/"><span
style='color:red'>www.rpxnow.com</span></a><o:p></o:p></span></i></b></p>
</div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
openid-specs-bounces@lists.openid.net
[mailto:openid-specs-bounces@lists.openid.net] <b>On Behalf Of </b>Allen Tom<br>
<b>Sent:</b> Friday, January 22, 2010 10:43 AM<br>
<b>To:</b> Andrew Arnott; John Bradley; Breno de Medeiros; specs<br>
<b>Subject:</b> Re: Problem with nonces and HTTP GET<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif"'>The SSL security warning is a really
terrible UX, and I agree that it doesn’t make sense to warn on POST but not on
GET.<br>
<br>
Yahoo is running into the 2KB limit (and the associated SSL warning) with
alarming frequency and it’s really hurting OpenID relative to the proprietary
SSO solutions. <br>
<br>
For a real live example of how the giant AX names are hurting OpenID, see <a
href="http://www.huffingtonpost.com">http://www.huffingtonpost.com</a> – click
on the Login link, then the “Connect with Yahoo” button. This kicks off the
Hybrid OpenID+Oauth+AX flow which requires a POST response – forcing the user
to click through a security warning to complete the sign in flow. The
non-OpenID SSO choices (Facebook/Twitter/GFC) do not have this issue.<br>
<br>
With regards to changing browsers to not display SSL warnings for POST, or
relying on smart OpenID clients – we really need a solution right now, since
the proprietary alternatives are rapidly being adopted.<br>
<br>
WRT the nonce – I think it would make more sense for RPs to just check the
timestamp, and allow replay for a “narrow” window, like 10 minutes. There are
many legitimate reasons why a request could be replayed – intermediate proxy
servers might do weird things, the user might hit reload/back/forward etc.<br>
<br>
Allen<br>
<br>
<br>
On 1/22/10 10:06 AM, "Andrew Arnott" <<a
href="andrewarnott@gmail.com">andrewarnott@gmail.com</a>> wrote:</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Ideally
we could use POST, but avoid the browser warning that information is crossing
the SSL world into the non-SSL world. This might be arguable anyway since
sending information can be done with GET or POST, so why warn for POST and not
for GET? If we can get browsers to not warn for POST we're gold.<br>
<br>
Alternatively, and perhaps more likely, if we're moving in the direction of
smart client browser (plugins), and these have been shown to benefit from
extensions to the OpenID spec, perhaps we can leverage these to always use POST
without displaying the warning to the user somehow. <br>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre<br>
<br>
<br>
On Fri, Jan 22, 2010 at 9:14 AM, John Bradley <<a
href="john.bradley@wingaa.com">john.bradley@wingaa.com</a>> wrote:</span><o:p></o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif"'>The big problem with POST is RP's that use
non-ssl endpoints. <br>
<br>
One possibility is that the IdP could look at the return_to and discover if it
is safe to use POST.<br>
<br>
In SAML SSO POST is the most common way to return the token. <br>
<br>
The other option is artifact binding. That way the nonce is not in the
GET, though you probably wind up with the same effect if the RP tries to
resolve the artifact more than once.<br>
<br>
John B.<br>
On 2010-01-22, at 12:39 PM, Andrew Arnott wrote:</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>HTTP
GET is supposed to be completely effect-free on the server. But nonces in
OpenID messages violate that aspect of the HTTP spec, since any subsequent GET
with the same positive assertion will (or should) fail. I speculate that
some random login failures on StackOverflow <<a
href="http://meta.stackoverflow.com/questions/32247/cant-login-to-so-with-openid-the-signature-verification-failed/36583#36583">http://meta.stackoverflow.com/questions/32247/cant-login-to-so-with-openid-the-signature-verification-failed/36583#36583</a>>
may be caused because a browser, an accelerator plugin, or a proxy
attempted to repeat the assertion-carrying GET request (since that's supposed
to be safe), and a subsequent request is the one whose response is displayed in
the browser, failing user login.<br>
<<a
href="http://meta.stackoverflow.com/questions/32247/cant-login-to-so-with-openid-the-signature-verification-failed/36583#36583">http://meta.stackoverflow.com/questions/32247/cant-login-to-so-with-openid-the-signature-verification-failed/36583#36583</a>>
<br>
POST is a better fit with the HTTP spec for how the message is actually
processed on the server. I know lately we've been looking for ways to
cram more data into < 2KB payloads so we can get off POST and onto GET since
the user experience is better. But I wonder if we can put our heads
together and figure out how to have our cake and eat it too with this nonce
problem. This error doesn't come up often, but it can come up, apparently
does come up, and is a natural side-effect of the way OpenID communicates.<br>
<br>
Any ideas?<br>
<br>
--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre<br>
_______________________________________________<br>
specs mailing list<br>
<a href="specs@lists.openid.net">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a></span><o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p>
<div class=MsoNormal align=center style='text-align:center'><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>
<hr size=3 width="95%" align=center>
</span></div>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:Consolas'>_______________________________________________<br>
specs mailing list<br>
<a href="specs@lists.openid.net">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a></span><o:p></o:p></p>
</div>
</body>
</html>