Don't you need another trip to get the server generated nonce? So a round-trip is saved by using client generated nonce.
I just posted help in another thread http://groups.google.com/group/oauth/browse_thread/thread/ff93d23e0734a7d8?hl=en Our problem would be solved if the nonce is generated by server but I don't think this justifies an extra round-trip. Zhihong On Mar 25, 5:23 pm, joshthecoder <[email protected]> wrote: > I've been reading up on the oauth specs and when came to the section > about nonce and timestamps I wondered "why not have the server send > the nonce?". > > Benefits of this: > + Server only needs to track the last nonce it sent to validate the > next request > + Don't need to store every nonce ever used > > When the server responds back from the previous request it can include > the next nonce value in the header. > So when we construct our next signature we have our next nonce. > Attackers still can't construct a valid signature even if they see the > next nonce. > > So why have the client generate the nonce on the fly? I'm no security > professional, so I might be overlooking a flaw with the above method. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
