On Mon, Aug 27, 2012 at 12:11 PM, Dick Hardt <[email protected]> wrote:
> I have an application for JWT that is not OAuth2. > Should nonce and timestamp logic go in the application level protocol? > Having said that, nonce's are difficult to implement at scale and I have > heard of many sites that don't implement them fully. > Nonce alone can't be implemented efficiently. You have to have time stamps as well, otherwise you are stuck storing ever nonce you've ever seen, forever. Even nonce + time stamp is challenging in distributed systems. It adds a lot of complexity. That complexity is sometimes merited, but not always.
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
