openid.nonce added

Brad Fitzpatrick brad at
Sat May 21 11:20:15 PDT 2005

On Sat, 21 May 2005, Imran Ghory wrote:

> On 5/21/05, Karl Koscher <mrsaturn at> wrote:
> > Erm, is this really necessary? Can't a consumer just include something
> > like that in their return URL, that in turn is part of the message
> > hashed by the identity server? It seems like an extra implementation
> > detail that doesn't really get you anything that you couldn't get
> > otherwise, but perhaps I'm missing something?
> I disagree, the existence on a nonce or not can seriously impact the
> security of an authentication and an ID server (or indeed the user)
> may want to have the system automatically refuse to authenticate to a
> consumer that is insecure, and hence the ID server needs to know about
> the nonce as well.

Then perhaps consumers notice they're getting refused and start sending
junk nonces which they never check.  It'd be a false sense of security on
the identity server's part to trust a consumer purely on the presence of a
nonce argument.

- Brad

More information about the yadis mailing list