On Oct 2, 2006, at 22:07, Josh Hoyt wrote:
On 10/2/06, Johannes Ernst [EMAIL PROTECTED] wrote:
It appears to me that OpenID should be able to do the same thing that
we've been doing in LID: one-way nonces.
This is the way that it's currently written up in the spec. When I
wrote it up I had LID nonces in mind.
The current proposal is to have *two* nonces - one for the request and
one for the response. I bet there are good arguments for being able to
identify both the request and the response individually, but I can't
come up with any. Why do we need a response nonce if there is a
request nonce?
Because the response may not have been triggered by a request.
This is how we implement non-browser support in LID right now -- and
I suggest that OpenID Auth could do the same:
a client decides it wants to access http://example.com/foo that is
access-protected. It simply creates
an OpenID response request as-if it had been initiated by a request.
Also: please ignore this if you have more important things to do --
but why do we need a request nonce at all? What attack does this
protect against?
Johannes Ernst
NetMesh Inc.
http://netmesh.info/jernst
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs