The requirement is to prevent replay of a token. If it can be done without a nonce that is OK, but the requirement remains.
SSL on it's own will not solve the replay problem. John B. On 2010-01-27, at 9:45 PM, Breno de Medeiros wrote: > On Wed, Jan 27, 2010 at 16:40, Andrew Arnott <[email protected]> wrote: >> Absolutely. In fact, if part of a solution to any problem is to get all >> parties on SSL, then nonces can just go away -- am I right? > > Yes, if we could assume SSL support at the RP we could do away with > nonces and use secure cookies. Nonces are a pain and just wrong for > web protocols. > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
