<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
(2010/01/28 14:41), Andrew Arnott wrote:
<blockquote
cite="mid:216e54901001272141w2266e14ayc3abbba53f232dbf@mail.gmail.com"
type="cite">John,
<div><br>
</div>
<div>Can you help me understand the risk of a replay if SSL protected
the message such that you have very high confidence that the only
person who could be replaying it is the person who should be able to
log in anyway?</div>
</blockquote>
Browser is a default MITM. Browser plug-in type of thing can look at
the traffic, and send it to the attacker, and the attacker can use is
later to impersonate the user. <br>
<br>
For MITM for HTTPS, refer to something like
<a class="moz-txt-link-freetext" href="http://www.sans.org/reading_room/whitepapers/threats/ssl_maninthemiddle_attacks_480">http://www.sans.org/reading_room/whitepapers/threats/ssl_maninthemiddle_attacks_480</a><br>
<br>
<blockquote
cite="mid:216e54901001272141w2266e14ayc3abbba53f232dbf@mail.gmail.com"
type="cite">
<div><br>
</div>
<div>IOW, what's the problem with replay if there's no chance of MITM
attacks? </div>
<div><br>
</div>
<div>On the other hand, I'm not entirely convinced that nonces are
all that useful, since any MITM could also conceivably <i>pre</i>play
the message, and get in anyway. Encryption seems to really be the
best/only mitigation.<br clear="all">
</div>
</blockquote>
<br>
Assertion is signed and given that nonce has sufficient level of
entropy and randomness, it should be pretty hard to preplay, is it not?
<br>
<br>
<blockquote
cite="mid:216e54901001272141w2266e14ayc3abbba53f232dbf@mail.gmail.com"
type="cite">
<div>--<br>
Andrew Arnott<br>
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - S. G. Tallentyre<br>
<br>
<br>
<div class="gmail_quote">On Wed, Jan 27, 2010 at 5:22 PM, John
Bradley <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:john.bradley@wingaa.com">john.bradley@wingaa.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">I
think it has been increased. It would probably be a boon to the
internet if all versions of IE prior to 8 are deprecated.<br>
<br>
However I have a hart time seeing websites turning people away due to
old browsers.<br>
<br>
It is possible for a IdP to detect the browser and use GET up to 4K +
if it is safe.<br>
<br>
That won't solve the problem that nonces do what they are supposed to
and prevent token resubmission.<br>
<br>
John B.<br>
<div>
<div class="h5">On 2010-01-27, at 10:12 PM, Henrik Biering wrote:<br>
<br>
><br>
> John Bradley wrote:<br>
>><br>
>> The other alternative is to ban IE because it is the source of
the 2K limit for GET.<br>
>> Not a problem for FF or other browsers.<br>
> Although I cannot find any official documentation, it seems that
the traditional 2K limit for IE GET requests has been increased
significantly in IE8<br>
><br>
> =henrik<br>
<br>
</div>
</div>
<div>
<div class="h5">_______________________________________________<br>
specs mailing list<br>
<a moz-do-not-send="true" href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@lists.openid.net">specs@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Nat Sakimura (<a class="moz-txt-link-abbreviated" href="mailto:n-sakimura@nri.co.jp">n-sakimura@nri.co.jp</a>)
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547</pre>
</body>
</html>