openid.nonce added
Brad Fitzpatrick
brad at danga.com
Sat May 21 11:20:15 PDT 2005
On Sat, 21 May 2005, Imran Ghory wrote:
> On 5/21/05, Karl Koscher <mrsaturn at teencity.org> wrote:
>
> > Erm, is this really necessary? Can't a consumer just include something
> > like that in their return URL, that in turn is part of the message
> > hashed by the identity server? It seems like an extra implementation
> > detail that doesn't really get you anything that you couldn't get
> > otherwise, but perhaps I'm missing something?
>
> I disagree, the existence on a nonce or not can seriously impact the
> security of an authentication and an ID server (or indeed the user)
> may want to have the system automatically refuse to authenticate to a
> consumer that is insecure, and hence the ID server needs to know about
> the nonce as well.
Then perhaps consumers notice they're getting refused and start sending
junk nonces which they never check. It'd be a false sense of security on
the identity server's part to trust a consumer purely on the presence of a
nonce argument.
- Brad
More information about the yadis
mailing list