<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I am not arguing against artifact.<div><br></div><div>However allowing for nonce replay from a browser session is a separate issue.</div><div><br></div><div>If the nonce is only in the artifact resolution response the problem still exists, and is perhaps worse because of the latency involved in the second request.</div><div><br></div><div>If the user hits back and resubmits the indirect response and the RP performs artifact resolution on the same artifact a second time it should detect a replay and reject it. </div><div><br></div><div>John B.</div><div><div><div>On 2010-01-28, at 8:02 AM, Nat Sakimura wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<div bgcolor="#ffffff" text="#000000">
(2010/01/28 16:21), Allen Tom wrote:
<blockquote cite="mid:C7867B10.2134B%25atom@yahoo-inc.com" type="cite">
<font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size: 11pt;">Hi all -<br>
<br>
Before I get started – I agree that in an ideal world, we’d have full
end to end SSL, old browsers would be banned, and we’d POST data.<br>
<br>
However, requiring RPs to support SSL isn’t going to help adoption and
is deal breaker for most applications that want to use OpenID today.
Encouraging RPs to use SSL is a great idea – but it should not be
required. <br>
<br>
Although most browsers can support URLs > 2KB, some proxy servers
choke on URLs > 2KB. This is not fun to debug.<br>
</span></font></blockquote>
I add one more thing here: Many mobile browsers choke. <br>
<blockquote cite="mid:C7867B10.2134B%25atom@yahoo-inc.com" type="cite"><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size: 11pt;"><br>
In practice, enforcing the nonce only gives the illusion of additional
security. If there’s a MITM, instead of replaying (or pre-playing) the
assertion, the attacker will just steal the browser cookies instead.
Assertions should have a limited lifetime – but this can be enforced by
checking the timestamp and allowing for a narrow replay window.<br>
<br>
POST is technically the ideal solution, but results in a degraded UX.
The proprietary market leaders have set the bar very high and we need
to offer an open alternative that is just as good, if not better. We
really aren’t going to get anywhere with a clunky UX. POST adds
additional latency, and can cause strange warnings and a blank
interstitial (the self submitting form). <br>
<br>
I really would like to be able to return an assertion using AX with a
lot of attributes, and Hybrid that can fit within the 2KB limit. This
is needed just to reach parity with the proprietary stuff.<br>
</span></font></blockquote>
Artifact Binding :-) Our implementation is returning (for the
experiment purpose) assertion that is well over 5MB with AX. <br>
<br>
=nat<br>
<blockquote cite="mid:C7867B10.2134B%25atom@yahoo-inc.com" type="cite"><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size: 11pt;"><br>
Allen<br>
</span></font>
<pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
specs mailing list
<a class="moz-txt-link-abbreviated" href="mailto:specs@lists.openid.net">specs@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Nat Sakimura (<a class="moz-txt-link-abbreviated" href="mailto:n-sakimura@nri.co.jp">n-sakimura@nri.co.jp</a>)
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547</pre>
</div>
_______________________________________________<br>specs mailing list<br><a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-specs<br></blockquote></div><br></div></body></html>