I understand how they work, I’ve built exactly that cache before. But I askWouldn’t a unique timestamp have the same effect? Currently it’s integer seconds but slicing that down further (floating point seconds?) if people desired would allow for multiple signed messages in the same second from the same client using the otherwise same parameters.
“Other protocols do it” is not a compelling reason on its own, especially when the example of “other protocols” includes WS-* ;) Seriously though, an optional nonce is easy to add to the draft if there’s enough WG support, I’m just hesitant to add more complexity than needed to this. — Justin > On Feb 26, 2016, at 11:06 PM, Dominick Baier <dba...@leastprivilege.com> > wrote: > > The nonce would allow to build a replay cache, the timestamp to trim that > cache and reject messages that are too old. > > Similar protocols have a nonce for the above reasons (ws-sec msg security, > hawk)... > > — > cheers > Dominick Baier > > On 27 February 2016 at 03:48:00, Justin Richer (jric...@mit.edu > <mailto:jric...@mit.edu>) wrote: > >> I’d be glad to add in a nonce if there’s a compelling reason for it, such as >> closing a security attack vector. >> >> What’s the proposed purpose of the nonce? Is it just to add randomness to >> the signing base? Or is it to prevent replay at the RS? If the former, the >> timestamp should add enough of that and it can be verified to be within a >> reasonable window by the RS by comparing it with the time the request was >> made. If the latter, the RS is going to have to track previously used nonces >> for some amount of time. >> >> There was a small discussion of just signing an outgoing “Date:” header >> instead of the separate timestamp, but the timestamp seemed to be more >> robust. I forget the full reasoning though. >> >> — Justin >> >>> On Feb 26, 2016, at 9:49 AM, Brock Allen <brockal...@gmail.com >>> <mailto:brockal...@gmail.com>> wrote: >>> >>> Question about the HTTP signing spec – why is there no nonce (and just a >>> timestamp)? >>> >>> TIA >>> >>> -Brock >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
