I’d be glad to add in a nonce if there’s a compelling reason for it, such as closing a security attack vector.
What’s the proposed purpose of the nonce? Is it just to add randomness to the signing base? Or is it to prevent replay at the RS? If the former, the timestamp should add enough of that and it can be verified to be within a reasonable window by the RS by comparing it with the time the request was made. If the latter, the RS is going to have to track previously used nonces for some amount of time. There was a small discussion of just signing an outgoing “Date:” header instead of the separate timestamp, but the timestamp seemed to be more robust. I forget the full reasoning though. — Justin > On Feb 26, 2016, at 9:49 AM, Brock Allen <brockal...@gmail.com> wrote: > > Question about the HTTP signing spec – why is there no nonce (and just a > timestamp)? > > TIA > > -Brock > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
