Replay attacks vs man in the middle

Imran Ghory imranghory at
Fri May 20 07:30:39 PDT 2005

On 5/20/05, Martin Atkins <mart at> wrote:
> However, surely the nonce needs to be something specific to
> that request which the *consumer* can validate?

The nonce would be generated by the consumer, passed to the id server
via the user/webbrowser, the id server would sign it along with the
rest of the message and then the consumer would validate that the the
nonce they generated was signed by the id server. I'll post a more
indepth explanation about how this contributes to security if anyone
wants one ?


More information about the yadis mailing list