openid.nonce added

Imran Ghory imranghory at gmail.com
Sat May 21 15:29:23 PDT 2005


On 5/21/05, Brad Fitzpatrick <brad at danga.com> wrote:
> > I disagree, the existence on a nonce or not can seriously impact the
> > security of an authentication and an ID server (or indeed the user)
> > may want to have the system automatically refuse to authenticate to a
> > consumer that is insecure, and hence the ID server needs to know about
> > the nonce as well.
> 
> Then perhaps consumers notice they're getting refused and start sending
> junk nonces which they never check.  It'd be a false sense of security on
> the identity server's part to trust a consumer purely on the presence of a
> nonce argument.

Yes but it would prevent insecurity by ignorance, I agree that the
consumer could fake it but to do so would require active subversion of
the protocol. By not including a nonce in the protocol spec, the
protocol then relies upon the consumer to develop extra checks to make
it secure.

Given that most of the people on this mailing list wern't aware of why
a nonce would be needed to protect this protocol against a replay
attack how can you expect joe random website developer to be aware of
needing to do this ?

The check wouldn't tell you if the consumer was actually using the
nonce, but it could tell you if they wern't. Saying that it won't
protect against 100% of potentially insecure consumers is no reason
not to offer the ability to protect against the 95% of insecure
through ignorance consumers.

Imran


More information about the yadis mailing list