On Jun 8, 2009, at 15:50, Allen Tom wrote:
6) Pull the replay warning into its own bullet, and mention the use of a timestamp to bound the time nonces must be stored for.[atom] Also a good point. On a related note, many large globally distributed RPs may have a hard time implementing nonces as per the OpenID spec, as it's technically tricky to globally replicate data, especially if it needs to be replicated very quickly. In practice, RPs may only find it practical to verify that the timestamp is "current" as opposed to actually verifying that the nonce is can only be used once.
In this case, do these mythical "globally distributed RPs" have a better approach for avoiding replay attacks or do they simply swallow that risk because no better approach is known.
Just wondering ... Johannes Ernst NetMesh Inc.
<<inline: lid.gif>>
<<inline: openid.gif>>
http://netmesh.info/jernst
_______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
