The spec must have been changed. This sentence sounds correct to me, The Consumer SHALL then generate a Nonce value that is unique for all requests with that timestamp.
Thanks! Zhihong On Mar 26, 5:48 pm, Brian Eaton <[email protected]> wrote: > On Thu, Mar 26, 2009 at 2:22 PM, Zhihong <[email protected]> wrote: > > We can't afford to ignore nonce. Timestamp can't prevent replay. We > > allow clock skew up to 1 min so there is a 2-min window, in which the > > message can be replayed. This is a risk we don't want to take. > > OK, this is challenging then. I think you've got two choices: > - look into alternatives to nonce to mitigate the risk of replay > (https and idempotent requests come to mind.) > - look at alternate replication schemes. The choice of synchronous vs > asynchronous nonce replication is the big one, I suspect. > > The body signing spec I've been working on > (http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/drafts/4/spec....) > might help you get to idempotent requests. > > You could also look at implementing the timestamp_refused error in the > problem reporting extension. That would let you cut your time window > from two minutes to something shorter. Clients would need to > automatically adjust to the time stamp on your server. > > > I don't know why you think storage is infinite. It's very limited > > because nonce has limited size and life, and servers have limited > > bandwidth. > > That's the right way to do it, but it's not actually what the spec > says to do. Check out this > thread:http://markmail.org/message/apniux5s3iio7fln. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
