Depends on what the nonce is used for as if this is for key entropy then I would say there is very little overhead and storage issues and in this case I would expect the header to contain the nonce, if it's for state of some sort then I would expect it at the application level and not as a header and more of a JWT claim.
From: [email protected] [mailto:[email protected]] On Behalf Of Brian Eaton Sent: Monday, August 27, 2012 1:06 PM To: Dick Hardt Cc: [email protected]; [email protected]; [email protected] Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter On Mon, Aug 27, 2012 at 12:11 PM, Dick Hardt <[email protected]<mailto:[email protected]>> wrote: I have an application for JWT that is not OAuth2. Should nonce and timestamp logic go in the application level protocol? Having said that, nonce's are difficult to implement at scale and I have heard of many sites that don't implement them fully. Nonce alone can't be implemented efficiently. You have to have time stamps as well, otherwise you are stuck storing ever nonce you've ever seen, forever. Even nonce + time stamp is challenging in distributed systems. It adds a lot of complexity. That complexity is sometimes merited, but not always.
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
