I've been reading up on the oauth specs and when came to the section about nonce and timestamps I wondered "why not have the server send the nonce?".
Benefits of this: + Server only needs to track the last nonce it sent to validate the next request + Don't need to store every nonce ever used When the server responds back from the previous request it can include the next nonce value in the header. So when we construct our next signature we have our next nonce. Attackers still can't construct a valid signature even if they see the next nonce. So why have the client generate the nonce on the fly? I'm no security professional, so I might be overlooking a flaw with the above method. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
