openid.nonce added
Imran Ghory
imranghory at gmail.com
Sat May 21 16:16:07 PDT 2005
> I can go either way, to be honest. On one hand, it's a good idea to have,
> and we'll be using it ourselves. On the other hand, it expands the specs
> when there are multiple ways to prevent dups (tracking nonces vs. tracking
> used signatures)
The point of nonces is you don't have to track them, the consumer just
generates a very large random number and just relies on probability to
ensure this nonce isn't repeated, so a history of nonces doesn't have
to be kept. A single nonce only has to be held for the duration of the
session it's used for (this is pretty common practice, I believe
Kerberos does precisely this).
> So far I'm hearing exactly 1 person in favor, 1 against, and 1 don't care
> (myself). If either group wants to push me over the edge one way or the
> other, speak up.
I'd rather you just listened to all the opinions and made an informed
choice rather than relying upon a show of hands :-)
Imran
More information about the yadis
mailing list