Re: Re[2]: [PROPOSAL] request nonce and name

2006-10-16 Thread Grant Monroe
On 10/14/06, Dick Hardt [EMAIL PROTECTED] wrote: Also note that URL parameters are not secured by TLS in HTTPS. -- Dick URL parameters are sent with the path in the GET line of the HTTP request after the TLS handshake, so URL parameters ARE secured. -- Grant Monroe JanRain, Inc.

Re: Re[2]: [PROPOSAL] request nonce and name

2006-10-14 Thread Dick Hardt
Also note that URL parameters are not secured by TLS in HTTPS. -- Dick On 13-Oct-06, at 3:57 AM, Chris Drake wrote: Hi All, Just so everyone remembers: GET encoded http://; URLs usually appear en-mass in public lists (from proxy cache logs). If you don't want to POST data anyplace,

Re: [PROPOSAL] request nonce and name

2006-10-13 Thread Martin Atkins
Marius Scurtescu wrote: On 12-Oct-06, at 5:07 PM, Josh Hoyt wrote: On 10/12/06, Marius Scurtescu [EMAIL PROTECTED] wrote: If passing through all unrecognized parameters can cause problems then there could be a special namespace for this purpose. For example, all parameters with names

Re[2]: [PROPOSAL] request nonce and name

2006-10-13 Thread Chris Drake
Hi All, Just so everyone remembers: GET encoded http://; URLs usually appear en-mass in public lists (from proxy cache logs). If you don't want to POST data anyplace, remember to expect replay attacks often. Kind Regards, Chris Drake Friday, October 13, 2006, 7:48:31 PM, you wrote: JH On

RE: [PROPOSAL] request nonce and name

2006-10-12 Thread Recordon, David
Title: RE: [PROPOSAL] request nonce and name Josh and I chatted a good deal about this and don't believe a request nonce is actually needed. The main motivation for a request nonce is allowing a RP to retain state within the transaction. A stateful RP however already has the means to store

Re: [PROPOSAL] request nonce and name

2006-10-12 Thread Martin Atkins
Recordon, David wrote: We thus believe that any state tracking needed by a stateless RP must be maintained as GET parameters within the return_to argument. In the case of a stateful RP, it can either do the same thing, or store state via other means such as using a session id within a

Re: [PROPOSAL] request nonce and name

2006-10-12 Thread Marius Scurtescu
On 12-Oct-06, at 12:10 PM, Recordon, David wrote: We thus believe that any state tracking needed by a stateless RP must be maintained as GET parameters within the return_to argument. In the case of a stateful RP, it can either do the same thing, or store state via other means such as

Re: [PROPOSAL] request nonce and name

2006-10-12 Thread Josh Hoyt
On 10/12/06, Marius Scurtescu [EMAIL PROTECTED] wrote: If passing through all unrecognized parameters can cause problems then there could be a special namespace for this purpose. For example, all parameters with names starting with openid.pass. should be ignored by the IdP and passed back to

Re: [PROPOSAL] request nonce and name

2006-10-12 Thread Marius Scurtescu
On 12-Oct-06, at 5:07 PM, Josh Hoyt wrote: On 10/12/06, Marius Scurtescu [EMAIL PROTECTED] wrote: If passing through all unrecognized parameters can cause problems then there could be a special namespace for this purpose. For example, all parameters with names starting with openid.pass.

[PROPOSAL] request nonce and name

2006-09-30 Thread Dick Hardt
Motivating Use Case It is useful for an RP to know that a response to a request has already been processed and is not stale. A standard way to do this that can be incorporated into the Libraries would simplify things for the RP implementor Proposed Implementation