openid.nonce added

Brad Fitzpatrick brad at danga.com
Sat May 21 15:36:42 PDT 2005


On Sat, 21 May 2005, Imran Ghory wrote:

> On 5/21/05, Brad Fitzpatrick <brad at danga.com> wrote:
> > > I disagree, the existence on a nonce or not can seriously impact the
> > > security of an authentication and an ID server (or indeed the user)
> > > may want to have the system automatically refuse to authenticate to a
> > > consumer that is insecure, and hence the ID server needs to know about
> > > the nonce as well.
> >
> > Then perhaps consumers notice they're getting refused and start sending
> > junk nonces which they never check.  It'd be a false sense of security on
> > the identity server's part to trust a consumer purely on the presence of a
> > nonce argument.
>
> Yes but it would prevent insecurity by ignorance, I agree that the
> consumer could fake it but to do so would require active subversion of
> the protocol. By not including a nonce in the protocol spec, the
> protocol then relies upon the consumer to develop extra checks to make
> it secure.
>
> Given that most of the people on this mailing list wern't aware of why
> a nonce would be needed to protect this protocol against a replay
> attack how can you expect joe random website developer to be aware of
> needing to do this ?
>
> The check wouldn't tell you if the consumer was actually using the
> nonce, but it could tell you if they wern't. Saying that it won't
> protect against 100% of potentially insecure consumers is no reason
> not to offer the ability to protect against the 95% of insecure
> through ignorance consumers.

I can go either way, to be honest.  On one hand, it's a good idea to have,
and we'll be using it ourselves.  On the other hand, it expands the specs
when there are multiple ways to prevent dups (tracking nonces vs. tracking
used signatures), nonces can be added to the return URL, and most users
will use a library which gives them hooks to generate and check nonces.
(Net::OpenID::Consumer does), rather than doing it by hand.

So far I'm hearing exactly 1 person in favor, 1 against, and 1 don't care
(myself).  If either group wants to push me over the edge one way or the
other, speak up.

- Brad


More information about the yadis mailing list