I don't inherently see a problem with this, though it can't be required since relying parties may not be able to keep state.
I'd vote for openid.request_nonce and openid.response_nonce just in making it clear what they actually are. I'm fine linking people off to WikiPedia (http://en.wikipedia.org/wiki/Cryptographic_nonce), but that's just me.
In any case, even if a request nonce isn't added, I’d like to see openid.nonce renamed to openid.response_nonce.
--David
-----Original Message-----
From: [EMAIL PROTECTED] on behalf of Dick Hardt
Sent: Sat 9/30/2006 4:57 PM
To: specs@openid.net
Subject: [PROPOSAL] request nonce and name
Motivating Use Case
----------------------------
It is useful for an RP to know that a response to a request has
already been processed and is not stale.
A standard way to do this that can be incorporated into the Libraries
would simplify things for the RP implementor
Proposed Implementation
-----------------------------------
1) Allow the RP to OPTIONALLY include a nonce in the request. The
nonce would be of the same format as the nonce in the response from
the IdP. The IdP will include the nonce from the RP in its response.
2) rename openid.nonce to openid.response_id and name the request
nonce openid.request_id
Alternate: call them openid.response_stamp and openid.request_stamp
naming comments:
+ openid.nonce is not in use at this time, so easy to rename
+ id or stamp may make more sense to the average developer (mainly
crypto and security people know what a nonce is, I have to explain to
most developers)
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
_______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
