The nonce would allow to build a replay cache, the timestamp to trim that cache and reject messages that are too old.
Similar protocols have a nonce for the above reasons (ws-sec msg security, hawk)... — cheers Dominick Baier On 27 February 2016 at 03:48:00, Justin Richer (jric...@mit.edu) wrote: I’d be glad to add in a nonce if there’s a compelling reason for it, such as closing a security attack vector. What’s the proposed purpose of the nonce? Is it just to add randomness to the signing base? Or is it to prevent replay at the RS? If the former, the timestamp should add enough of that and it can be verified to be within a reasonable window by the RS by comparing it with the time the request was made. If the latter, the RS is going to have to track previously used nonces for some amount of time. There was a small discussion of just signing an outgoing “Date:” header instead of the separate timestamp, but the timestamp seemed to be more robust. I forget the full reasoning though. — Justin On Feb 26, 2016, at 9:49 AM, Brock Allen <brockal...@gmail.com> wrote: Question about the HTTP signing spec – why is there no nonce (and just a timestamp)? TIA -Brock _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
