openid.nonce added

Imran Ghory imranghory at
Sat May 21 16:16:07 PDT 2005

> I can go either way, to be honest.  On one hand, it's a good idea to have,
> and we'll be using it ourselves.  On the other hand, it expands the specs
> when there are multiple ways to prevent dups (tracking nonces vs. tracking
> used signatures)

The point of nonces is you don't have to track them, the consumer just
generates a very large random number and just relies on probability to
ensure this nonce isn't repeated, so a history of nonces doesn't have
to be kept. A single nonce only has to be held for the duration of the
session it's used for (this is pretty common practice, I believe
Kerberos does precisely this).

> So far I'm hearing exactly 1 person in favor, 1 against, and 1 don't care
> (myself).  If either group wants to push me over the edge one way or the
> other, speak up.

I'd rather you just listened to all the opinions and made an informed
choice rather than relying upon a show of hands :-)


More information about the yadis mailing list